Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
s2dwlCsA95.exe

Overview

General Information

Sample name:s2dwlCsA95.exe
renamed because original name is a hash value
Original sample name:360f5b40a6cbc8f99639d6989a3fd0ac.exe
Analysis ID:1428546
MD5:360f5b40a6cbc8f99639d6989a3fd0ac
SHA1:1709413509c4dedf9e0452d818a5991c0740ca86
SHA256:09c9e09ef1371e9bc9292abce47d8bd0fdae9cb9fecc42ccfd51f983f43e2bdf
Tags:32exeRiseProStealertrojan
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • s2dwlCsA95.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\s2dwlCsA95.exe" MD5: 360F5B40A6CBC8F99639D6989A3FD0AC)
    • schtasks.exe (PID: 5624 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2968 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 3172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 868 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 960 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1008 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1008 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 984 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1384 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1016 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1872 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1272 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1908 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1876 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7088 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 360F5B40A6CBC8F99639D6989A3FD0AC)
    • WerFault.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 812 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 900 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 932 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 6340 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 360F5B40A6CBC8F99639D6989A3FD0AC)
    • WerFault.exe (PID: 2072 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 872 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 4816 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 360F5B40A6CBC8F99639D6989A3FD0AC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\CaUaqkY92GovL9TcuRMGkgg.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\Aso5djWiC8bybG6teNs2YR5.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      C:\Users\user\AppData\Local\Temp\9EaqYGrOoLZGqTHtmnARfPr.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        C:\Users\user\AppData\Local\Temp\M3KUyMMJ1wTzBxomWRvBAGK.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000001D.00000002.2847854867.00000000079CB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              0000001D.00000003.2719158457.00000000079C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0000000A.00000002.2838613452.0000000004945000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
                  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
                  Click to see the 56 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  9.2.MPGPH131.exe.4a30e67.1.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                    9.3.MPGPH131.exe.4b90000.0.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                      9.2.MPGPH131.exe.400000.0.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                        29.2.RageMP131.exe.400000.0.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                          0.2.s2dwlCsA95.exe.4af0e67.1.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                            Click to see the 11 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\s2dwlCsA95.exe, ProcessId: 6604, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                            Snort Signatures

                            Timestamp:04/19/24-07:32:13.951565
                            SID:2046266
                            Source Port:58709
                            Destination Port:49708
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:48.720190
                            SID:2046269
                            Source Port:49708
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:27.323927
                            SID:2046267
                            Source Port:58709
                            Destination Port:49717
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:13.712283
                            SID:2046266
                            Source Port:58709
                            Destination Port:49707
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:13.946011
                            SID:2046267
                            Source Port:58709
                            Destination Port:49707
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:33:01.046159
                            SID:2046269
                            Source Port:49717
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:47.920285
                            SID:2046269
                            Source Port:49707
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:01.936877
                            SID:2049060
                            Source Port:49704
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:33:08.467646
                            SID:2046269
                            Source Port:49721
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:05.531331
                            SID:2046269
                            Source Port:49704
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:02.132219
                            SID:2046266
                            Source Port:58709
                            Destination Port:49704
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:02.374234
                            SID:2046267
                            Source Port:58709
                            Destination Port:49704
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:31.759927
                            SID:2046267
                            Source Port:58709
                            Destination Port:49721
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:28.378017
                            SID:2046266
                            Source Port:58709
                            Destination Port:49721
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:04/19/24-07:32:23.533848
                            SID:2046266
                            Source Port:58709
                            Destination Port:49717
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: http://193.233.132.167/cost/lenin.exeURL Reputation: Label: malware
                            Multi AV Scanner detection for domain / URL
                            Source: http://147.45.47.102:57893/hera/amadka.exeVirustotal: Detection: 18%Perma Link
                            Source: http://147.45.47.102:57893/hera/amadka.exeaVirustotal: Detection: 15%Perma Link
                            Source: http://193.233.132.167/cost/go.exeVirustotal: Detection: 24%Perma Link
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 47%
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 50%Perma Link
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 47%
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 50%Perma Link
                            Multi AV Scanner detection for submitted file
                            Source: s2dwlCsA95.exeVirustotal: Detection: 50%Perma Link
                            Source: s2dwlCsA95.exeReversingLabs: Detection: 47%
                            Machine Learning detection for dropped file
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: s2dwlCsA95.exeJoe Sandbox ML: detected

                            Compliance

                            barindex
                            Detected unpacking (overwrites its own PE header)
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeUnpacked PE file: 0.2.s2dwlCsA95.exe.400000.0.unpack
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 29.2.RageMP131.exe.400000.0.unpack
                            Source: s2dwlCsA95.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49706 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49715 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49716 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49718 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49719 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49723 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\SysWOW64\IMM32.DLLJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\SysWOW64\Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\SysWOW64\oleaut32.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\SysWOW64\msimg32.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dllJump to behavior

                            Networking

                            barindex
                            Snort IDS alert for network traffic
                            Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49704 -> 147.45.47.93:58709
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49704
                            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49704
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49704 -> 147.45.47.93:58709
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49707
                            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49707
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 147.45.47.93:58709
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49717
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49717 -> 147.45.47.93:58709
                            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49717
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49721
                            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49721
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49721 -> 147.45.47.93:58709
                            Connects to many ports of the same IP (likely port scanning)
                            Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
                            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 147.45.47.93:58709
                            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                            Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
                            Source: Joe Sandbox ViewIP Address: 172.67.75.166 172.67.75.166
                            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                            Source: unknownDNS query: name: ipinfo.io
                            Source: unknownDNS query: name: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                            Source: unknownDNS traffic detected: queries for: ipinfo.io
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe9
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exea
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
                            Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeadka.ex
                            Source: MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exedka.exea
                            Source: MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeoinoin
                            Source: s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
                            Source: MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exein9
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exenia
                            Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                            Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                            Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                            Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/-~
                            Source: MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.522
                            Source: MPGPH131.exe, 00000009.00000002.2824634591.0000000003029000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52:1%
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/vVpR
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.527
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                            Source: MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/g
                            Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                            Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/t
                            Source: s2dwlCsA95.exe, 00000000.00000002.2415707420.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003019000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002E88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
                            Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52b
                            Source: s2dwlCsA95.exe, 00000000.00000002.2415707420.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450905357.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457232246.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
                            Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org
                            Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                            Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                            Source: RageMP131.exe, 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, CaUaqkY92GovL9TcuRMGkgg.zip.9.dr, Aso5djWiC8bybG6teNs2YR5.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
                            Source: MPGPH131.exe, 00000009.00000002.2826478110.00000000079AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT-PC77
                            Source: MPGPH131.exe, 0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2630813730.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2632111137.0000000007B0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT7
                            Source: MPGPH131.exe, 0000000A.00000003.2631101956.0000000007983000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839750203.0000000007987000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTP
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTV
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2718661022.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2847854867.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2718897346.0000000007B27000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.10.dr, passwords.txt.0.dr, passwords.txt.29.drString found in binary or memory: https://t.me/risepro_bot
                            Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot52Hg
                            Source: MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot=
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botRoman
                            Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                            Source: MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botl
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org
                            Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                            Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2653643818.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825505075.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/(
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/BrsF2
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471869098.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472744212.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2488832236.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465560684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2489757091.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470290684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2486798860.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491826274.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2490434178.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491080898.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2487659427.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471486526.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2474979528.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2826478110.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467027616.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469156383.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2480668794.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2485832381.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839636602.0000000007979000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2435031167.0000000007979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/_rhF5
                            Source: MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/v
                            Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471869098.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472744212.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2488832236.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465560684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2489757091.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470290684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2486798860.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491826274.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2490434178.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491080898.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2487659427.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471486526.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2474979528.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2826478110.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467027616.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469156383.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2480668794.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2485832381.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839636602.0000000007979000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2435031167.0000000007979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2653643818.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825505075.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                            Source: MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471869098.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472744212.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2488832236.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465560684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2489757091.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470290684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2486798860.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491826274.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2490434178.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491080898.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2487659427.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471486526.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2474979528.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2826478110.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467027616.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469156383.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2480668794.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2485832381.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839636602.0000000007979000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2435031167.0000000007979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                            Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/icr
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/irefoxR
                            Source: MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ktop
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
                            Source: MPGPH131.exe, 00000009.00000003.2469264055.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2653643818.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825505075.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.00000000030B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ss_1h8m
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/t
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49706 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49715 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49716 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49718 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49719 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49723 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 0000000A.00000002.2838613452.0000000004945000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                            Source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                            Source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                            Source: 00000000.00000002.2415935130.000000000494C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                            Source: 0000001D.00000002.2847042300.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                            Source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                            Source: 00000009.00000002.2825584090.000000000496E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                            Source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 868
                            Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs s2dwlCsA95.exe
                            Source: s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs s2dwlCsA95.exe
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs s2dwlCsA95.exe
                            Source: s2dwlCsA95.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 0000000A.00000002.2838613452.0000000004945000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                            Source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                            Source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                            Source: 00000000.00000002.2415935130.000000000494C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                            Source: 0000001D.00000002.2847042300.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                            Source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                            Source: 00000009.00000002.2825584090.000000000496E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                            Source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/154@2/3
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7088
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6340
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6604
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_03
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                            Source: s2dwlCsA95.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                            Source: s2dwlCsA95.exe, 00000000.00000003.2262300997.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468375045.00000000079BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2432370448.0000000007970000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451380054.0000000007AF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2435031167.0000000007979000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450589041.000000000797F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2434487861.0000000007981000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2499201453.0000000007B20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2499909820.00000000079BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486463991.00000000079C3000.00000004.00000020.00020000.00000000.sdmp, u0mEFv0CB7P7Login Data.10.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: s2dwlCsA95.exeVirustotal: Detection: 50%
                            Source: s2dwlCsA95.exeReversingLabs: Detection: 47%
                            Source: s2dwlCsA95.exeString found in binary or memory: hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1TBljBUZtSeGqeIIGabyB8cwBTUjVEs20rKyuHwHX6O54
                            Source: s2dwlCsA95.exeString found in binary or memory: 39OjbOf7id1gtxPSPZYG1tuNmOm1S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhC
                            Source: s2dwlCsA95.exeString found in binary or memory: o6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rq
                            Source: s2dwlCsA95.exeString found in binary or memory: QFb4t0QHeCl3stFpWt++XwLP/MB1MA8MCfvlo8tgxZb2z/3GAkbP/Aoj8OEQvBZ6fPFYMH8Vo6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0
                            Source: MPGPH131.exeString found in binary or memory: YG1tuNmOm1S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuq
                            Source: MPGPH131.exeString found in binary or memory: ++XwLP/MB1MA8MCfvlo8tgxZb2z/3GAkbP/Aoj8OEQvBZ6fPFYMH8Vo6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzS
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile read: C:\Users\user\Desktop\s2dwlCsA95.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\s2dwlCsA95.exe "C:\Users\user\Desktop\s2dwlCsA95.exe"
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 868
                            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 960
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1008
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1008
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 984
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1384
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1016
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 812
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 780
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1872
                            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1908
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 900
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 872
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1876
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 932
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: msimg32.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: msvcr100.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: d3d11.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: dxgi.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: dxcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: devobj.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: webio.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: vaultcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msimg32.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msvcr100.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dll
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                            Data Obfuscation

                            barindex
                            Detected unpacking (changes PE section rights)
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeUnpacked PE file: 0.2.s2dwlCsA95.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 29.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                            Detected unpacking (overwrites its own PE header)
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeUnpacked PE file: 0.2.s2dwlCsA95.exe.400000.0.unpack
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 29.2.RageMP131.exe.400000.0.unpack
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                            Boot Survival

                            barindex
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exe TID: 1248Thread sleep count: 62 > 30Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3180Thread sleep count: 34 > 30Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3180Thread sleep count: 49 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5064Thread sleep count: 83 > 30
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5064Thread sleep count: 32 > 30
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\SysWOW64\IMM32.DLLJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\SysWOW64\Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\SysWOW64\oleaut32.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\SysWOW64\msimg32.dllJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dllJump to behavior
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696428655
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
                            Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696428
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r global passwords blocklistVMware20,11696428655
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002E88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                            Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: AMC password management pageVMware20,11696428655
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: tasks.office.comVMware20,11696428655o
                            Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8T
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ebrokers.co.inVMware20,11696428655d
                            Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                            Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
                            Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                            Source: s2dwlCsA95.exe, MPGPH131.exeBinary or memory string: hgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEck
                            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                            Source: MPGPH131.exe, 00000009.00000002.2824634591.0000000003027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: discord.comVMware20,11696428655f
                            Source: RageMP131.exe, 0000001D.00000003.2278848725.0000000002EA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                            Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: outlook.office.comVMware20,11696428655s
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rootpagecomVMware20,11696428655o
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.portal.azure.comVMware20,11696428655
                            Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                            Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                            Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageformVMware20,11696428655
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \?\scsi_vmwaretual_dif219&0&3f563070-94f2-b8b}
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: dev.azure.comVMware20,11696428655j
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                            Source: MPGPH131.exe, 00000009.00000002.2825505075.00000000030B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,116968h
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: billing_address_id.comVMware20,11696428
                            Source: Amcache.hve.8.drBinary or memory string: VMware
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                            Source: MPGPH131.exeBinary or memory string: ehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEc
                            Source: RageMP131.exe, 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .utiitsl.comVMware20,1169642865
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: global block list test formVMware20,11696428655
                            Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                            Source: MPGPH131.exe, 0000000A.00000003.2630559206.0000000007B0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}g\
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                            Source: MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_A8AFF657T
                            Source: MPGPH131.exe, 0000000A.00000003.2182907727.0000000002D58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}`M
                            Source: RageMP131.exe, 0000001D.00000003.2278848725.0000000002EA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a\*
                            Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169642865
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116`e
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nickname.utiitsl.comVMware20,1169642865
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                            Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                            Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                            Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                            Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                            Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696428655
                            Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o.inVMware20,11696428655~
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                            Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                            Source: RageMP131.exe, 0000001D.00000002.2846896933.0000000002F22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_A8AFF657
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416743946.0000000007C36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}rtjjegpclfi
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                            Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                            Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                            Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                            Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                            Source: s2dwlCsA95.exeBinary or memory string: +fO7ouTkHRIuiYlHQ5jkXRAOj+SDkmHpEPStTzpBpB0SLrWJh1O2CHpgHT9SDokXWuT7k/o0zmFdI+5yZXyfjdDVtvdBCKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrn
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
                            Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b:o8
                            Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*9zo
                            Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _vmware
                            Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                            Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comVMware20,11696428655o
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                            Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                            Source: AwY3wK8EalbzWeb Data.29.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                            Source: MPGPH131.exeBinary or memory string: akS6ApEPStTbp3vENJJ1DSPeUmxwyIl3NG9og8hB5TYq8dyLynII8M+fO7ouTkHRIuiYlHQ5jkXRAOj+SDkmHpEPStTzpBpB0SLrWJh1O2CHpgHT9SDokXWuT7k/o0zmFdI+5yZXyfjdDVtvdBCKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66
                            Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                            Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
                            Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                            Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                            Source: MPGPH131.exeBinary or memory string: kS6ApEPStTbp3vENJJ1DSPeUmxwyIl3NG9og8hB5TYq8dyLynII8M+fO7ouTkHRIuiYlHQ5jkXRAOj+SDkmHpEPStTzpBpB0SLrWJh1O2CHpgHT9SDokXWuT7k/o0zmFdI+5yZXyfjdDVtvdBCKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66K
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeProcess queried: DebugPortJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                            Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                            Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                            Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                            Stealing of Sensitive Information

                            barindex
                            Yara detected RisePro Stealer
                            Source: Yara matchFile source: 9.2.MPGPH131.exe.4a30e67.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.3.MPGPH131.exe.4b90000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.s2dwlCsA95.exe.4af0e67.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.s2dwlCsA95.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.3.MPGPH131.exe.4b60000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.3.RageMP131.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.MPGPH131.exe.4a00e67.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.RageMP131.exe.4a60e67.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.s2dwlCsA95.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.s2dwlCsA95.exe.4c50000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000001D.00000002.2847854867.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2719158457.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2380582113.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2380919991.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2415246869.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631101956.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2630742381.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2839750203.0000000007987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.2847854867.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2719409895.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2719285122.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2630813730.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631558554.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2381605815.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631457958.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631172078.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2415707420.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2416554344.0000000007A00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2632111137.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2826478110.000000000796A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631820625.0000000007987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2826478110.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: s2dwlCsA95.exe PID: 6604, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7088, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6340, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\CaUaqkY92GovL9TcuRMGkgg.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Aso5djWiC8bybG6teNs2YR5.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\9EaqYGrOoLZGqTHtmnARfPr.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\M3KUyMMJ1wTzBxomWRvBAGK.zip, type: DROPPED
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                            Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                            Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
                            Source: s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380441433.0000000007C2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                            Source: s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380441433.0000000007C2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                            Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                            Source: MPGPH131.exe, 00000009.00000002.2826478110.0000000007960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                            Tries to steal Mail credentials (via file / registry access)
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                            Source: C:\Users\user\Desktop\s2dwlCsA95.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: Yara matchFile source: 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: s2dwlCsA95.exe PID: 6604, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7088, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6340, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected RisePro Stealer
                            Source: Yara matchFile source: 9.2.MPGPH131.exe.4a30e67.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.3.MPGPH131.exe.4b90000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.s2dwlCsA95.exe.4af0e67.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.s2dwlCsA95.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.3.MPGPH131.exe.4b60000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.3.RageMP131.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.MPGPH131.exe.4a00e67.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 29.2.RageMP131.exe.4a60e67.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.s2dwlCsA95.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.s2dwlCsA95.exe.4c50000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000001D.00000002.2847854867.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2719158457.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2380582113.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2380919991.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2415246869.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631101956.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2630742381.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2839750203.0000000007987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.2847854867.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2719409895.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2719285122.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2630813730.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631558554.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2381605815.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631457958.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631172078.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2415707420.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2416554344.0000000007A00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2632111137.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2826478110.000000000796A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2631820625.0000000007987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2826478110.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: s2dwlCsA95.exe PID: 6604, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7088, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6340, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\CaUaqkY92GovL9TcuRMGkgg.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Aso5djWiC8bybG6teNs2YR5.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\9EaqYGrOoLZGqTHtmnARfPr.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\M3KUyMMJ1wTzBxomWRvBAGK.zip, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                            Command and Scripting Interpreter                            		1
                            Scheduled Task/Job                            		1
                            Process Injection                            		1
                            Masquerading                            		1
                            OS Credential Dumping                            		1
                            Query Registry                            		Remote Services1
                            Email Collection                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		2
                            Virtualization/Sandbox Evasion                            		LSASS Memory121
                            Security Software Discovery                            		Remote Desktop Protocol2
                            Data from Local System                            		1
                            Non-Standard Port                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            DLL Side-Loading                            		1
                            Registry Run Keys / Startup Folder                            		1
                            Process Injection                            		Security Account Manager2
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Ingress Tool Transfer                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            DLL Side-Loading                            		2
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture2
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets1
                            System Network Configuration Discovery                            		SSHKeylogging13
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials2
                            File and Directory Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync23
                            System Information Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428546 Sample: s2dwlCsA95.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 53 ipinfo.io 2->53 55 db-ip.com 2->55 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 5 other signatures 2->69 8 s2dwlCsA95.exe 1 63 2->8         started        13 MPGPH131.exe 56 2->13         started        15 RageMP131.exe 2->15         started        17 MPGPH131.exe 56 2->17         started        signatures3 process4 dnsIp5 57 147.45.47.93, 49704, 49707, 49708 FREE-NET-ASFREEnetEU Russian Federation 8->57 59 ipinfo.io 34.117.186.192, 443, 49705, 49715 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->59 61 db-ip.com 172.67.75.166, 443, 49706, 49718 CLOUDFLARENETUS United States 8->61 41 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->41 dropped 43 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->43 dropped 45 C:\Users\user\...\Aso5djWiC8bybG6teNs2YR5.zip, Zip 8->45 dropped 71 Detected unpacking (changes PE section rights) 8->71 73 Detected unpacking (overwrites its own PE header) 8->73 75 Tries to steal Mail credentials (via file / registry access) 8->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 19 16 8->23         started        35 9 other processes 8->35 47 C:\Users\user\...\CaUaqkY92GovL9TcuRMGkgg.zip, Zip 13->47 dropped 79 Multi AV Scanner detection for dropped file 13->79 81 Machine Learning detection for dropped file 13->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 13->83 25 WerFault.exe 13->25         started        27 WerFault.exe 13->27         started        29 WerFault.exe 13->29         started        49 C:\Users\user\...\9EaqYGrOoLZGqTHtmnARfPr.zip, Zip 15->49 dropped 85 Tries to harvest and steal browser information (history, passwords, etc) 15->85 51 C:\Users\user\...\M3KUyMMJ1wTzBxomWRvBAGK.zip, Zip 17->51 dropped 31 WerFault.exe 17->31         started        33 WerFault.exe 17->33         started        file6 signatures7 process8 process9 37 conhost.exe 19->37         started        39 conhost.exe 21->39         started       

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            s2dwlCsA95.exe51%VirustotalBrowse
                            s2dwlCsA95.exe47%ReversingLabsWin32.Trojan.Privateloader
                            s2dwlCsA95.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                            C:\ProgramData\MPGPH131\MPGPH131.exe47%ReversingLabsWin32.Trojan.Generic
                            C:\ProgramData\MPGPH131\MPGPH131.exe51%VirustotalBrowse
                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe47%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe51%VirustotalBrowse

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://193.233.132.167/cost/lenin.exe100%URL Reputationmalware
                            http://147.45.47.102:57893/hera/amadka.exe18%VirustotalBrowse
                            http://147.45.47.102:57893/hera/amadka.exea15%VirustotalBrowse
                            http://193.233.132.167/cost/go.exe25%VirustotalBrowse

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ipinfo.io
                            		34.117.186.192
                            		truefalse
                              		high
                              db-ip.com
                              		172.67.75.166
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://ipinfo.io/widget/demo/81.181.57.52false
                                  		high
                                  https://db-ip.com/demo/home.php?s=81.181.57.52false
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabs2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.drfalse
                                      		high
                                      http://147.45.47.102:57893/hera/amadka.exe9RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://duckduckgo.com/ac/?q=s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.drfalse
                                          		high
                                          http://193.233.132.167/cost/go.exeadka.exMPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://193.233.132.167/cost/go.exeoinoinMPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://t.me/risepro_bot52HgMPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://147.45.47.102:57893/hera/amadka.exes2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                https://db-ip.com/s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drfalse
                                                    		high
                                                    https://t.me/risepro_botRomanRageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://193.233.132.167/cost/go.exes2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                      https://t.me/RiseProSUPPORTVRageMP131.exe, 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ipinfo.io/widget/demo/81.181.57.52bMPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://t.me/RiseProSUPPORTPMPGPH131.exe, 0000000A.00000003.2631101956.0000000007983000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839750203.0000000007987000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ipinfo.io:443/widget/demo/81.181.57.52s2dwlCsA95.exe, 00000000.00000002.2415707420.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450905357.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457232246.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchs2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drfalse
                                                                		high
                                                                https://ipinfo.io/tMPGPH131.exe, 0000000A.00000002.2837741702.0000000002D2D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://t.me/risepro_botisepro_botMPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://193.233.132.167/cost/lenin.exein9MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://ipinfo.io/gMPGPH131.exe, 0000000A.00000003.2441425631.0000000002D62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://t.me/risepro_bot=MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://193.233.132.167/cost/lenin.exes2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmptrue
                                                                          • URL Reputation: malware
                                                                          		unknown
                                                                          https://db-ip.com/demo/home.php?s=81.181.57.52:1%MPGPH131.exe, 00000009.00000002.2824634591.0000000003029000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://t.me/risepro_botriseproRageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://db-ip.com:443/demo/home.php?s=81.181.57.52s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://t.me/RiseProSUPPORT7MPGPH131.exe, 0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2630813730.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2632111137.0000000007B0A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icos2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.drfalse
                                                                                    		high
                                                                                    http://193.233.132.167/cost/go.exedka.exeaMPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://db-ip.com/-~MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://db-ip.com/demo/home.php?s=81.181.57.522RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dlls2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.drfalse
                                                                                              		high
                                                                                              http://upx.sf.netAmcache.hve.8.drfalse
                                                                                                		high
                                                                                                https://t.me/RiseProSUPPORTRageMP131.exe, 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, CaUaqkY92GovL9TcuRMGkgg.zip.9.dr, Aso5djWiC8bybG6teNs2YR5.zip.0.drfalse
                                                                                                  		high
                                                                                                  https://www.ecosia.org/newtab/s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drfalse
                                                                                                    		high
                                                                                                    https://ipinfo.io/Mozilla/5.0s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.9.drfalse
                                                                                                        		high
                                                                                                        http://147.45.47.102:57893/hera/amadka.exeaRageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                                        https://ac.ecosia.org/autocomplete?q=s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drfalse
                                                                                                          		high
                                                                                                          https://t.me/RiseProSUPPORT-PC77MPGPH131.exe, 00000009.00000002.2826478110.00000000079AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://t.me/risepro_botRageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2718661022.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2847854867.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2718897346.0000000007B27000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.10.dr, passwords.txt.0.dr, passwords.txt.29.drfalse
                                                                                                              		high
                                                                                                              http://193.233.132.167/cost/lenin.exeniaRageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://t.me/risepro_botlMPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ipinfo.io/RageMP131.exe, 0000001D.00000002.2846157398.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLD87fZN3R3jFeplaces.sqlite.9.drfalse
                                                                                                                      		high
                                                                                                                      http://www.winimage.com/zLibDlls2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.9.drfalse
                                                                                                                          		high
                                                                                                                          https://db-ip.com:443/demo/home.php?s=81.181.57.527RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.drfalse
                                                                                                                              		high
                                                                                                                              https://db-ip.com/vVpRRageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.winimage.com/zLibDllDpRTpRs2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public IPs

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  34.117.186.192
                                                                                                                                  		ipinfo.ioUnited States
                                                                                                                                  		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                  147.45.47.93
                                                                                                                                  		unknownRussian Federation
                                                                                                                                  		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                  172.67.75.166
                                                                                                                                  		db-ip.comUnited States
                                                                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                  Analysis ID:1428546
                                                                                                                                  Start date and time:2024-04-19 07:31:08 +02:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 10m 24s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:42
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:s2dwlCsA95.exe
                                                                                                                                  renamed because original name is a hash value
                                                                                                                                  Original Sample Name:360f5b40a6cbc8f99639d6989a3fd0ac.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@25/154@2/3
                                                                                                                                  EGA Information:Failed
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                  • Number of executed functions: 0
                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  07:32:01Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                  07:32:01Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                  07:32:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                  07:32:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • ipinfo.io/json
                                                                                                                                  SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • ipinfo.io/json
                                                                                                                                  Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                                                                                  • ipinfo.io/ip
                                                                                                                                  Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                  • ipinfo.io/
                                                                                                                                  Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                  • ipinfo.io/
                                                                                                                                  w.shGet hashmaliciousXmrigBrowse
                                                                                                                                  • /ip
                                                                                                                                  Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                  • ipinfo.io/ip
                                                                                                                                  Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                  • ipinfo.io/ip
                                                                                                                                  uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • ipinfo.io/ip
                                                                                                                                  8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • ipinfo.io/ip
                                                                                                                                  147.45.47.93SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                    SecuriteInfo.com.Win64.Evo-gen.32634.31069.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                                                      UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                        tA6etkt3gb.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                            dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                              Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                  7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                    YUoiqJo8Sk.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                      172.67.75.166file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                        TANQUIVUIA.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                          oZ8kX4OA5q.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                            S2ruRfajig.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                              WARYTtjh4l.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                fzrGl94EQ2.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                  SeR6QESSMe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                    z21FdylQJD.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                      tBtJCF8REJ.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                        C1ZDhW5vDK.exeGet hashmaliciousRisePro StealerBrowse

                                                                                                                                                                          Domains

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          ipinfo.ioSp#U251c#U0434ti.exeGet hashmaliciousDanaBotBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          s.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          pQTmpNQX2u.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          EpsilonFruit.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          db-ip.comSecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                          UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 104.26.4.15
                                                                                                                                                                          dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                          Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 104.26.4.15
                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 104.26.4.15
                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                          • 104.26.5.15

                                                                                                                                                                          ASNs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          GOOGLE-AS-APGoogleAsiaPacificPteLtdSGSp#U251c#U0434ti.exeGet hashmaliciousDanaBotBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          lQV0SgKoqe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.118.44
                                                                                                                                                                          lQV0SgKoqe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.118.44
                                                                                                                                                                          s.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          SecuriteInfo.com.Win64.Evo-gen.32634.31069.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          tA6etkt3gb.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.188.166
                                                                                                                                                                          CLOUDFLARENETUSeO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                          SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 162.159.135.232
                                                                                                                                                                          SecuriteInfo.com.Trojan.PWS.Steam.37210.2413.24955.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 172.67.189.66
                                                                                                                                                                          https://jobrad.us1.list-manage.com/track/click?u=9c40c69097d5cc62620fab666&id=4174455835&e=1c8272e83cGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 104.21.4.152
                                                                                                                                                                          avp.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                          https://librospy.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • 172.67.219.113
                                                                                                                                                                          13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 172.67.153.60
                                                                                                                                                                          SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                          SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • 23.227.38.74
                                                                                                                                                                          DTLite1200-2126.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 104.18.38.233
                                                                                                                                                                          FREE-NET-ASFREEnetEUSecuriteInfo.com.Win32.Evo-gen.29833.28353.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                          • 193.233.132.56
                                                                                                                                                                          SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                          • 193.233.132.167
                                                                                                                                                                          SecuriteInfo.com.Win64.Evo-gen.32634.31069.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                                                                                          • 193.233.132.226
                                                                                                                                                                          UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                          • 193.233.132.167
                                                                                                                                                                          tA6etkt3gb.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                                                          • 193.233.132.167
                                                                                                                                                                          Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 185.103.100.31
                                                                                                                                                                          Cheat Lab 2.7.2.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 147.45.67.1
                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 147.45.47.93
                                                                                                                                                                          dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          • 147.45.47.93
                                                                                                                                                                          SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
                                                                                                                                                                          • 193.233.132.175

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          a0e9f5d64349fb13191bc781f81f42e1SecuriteInfo.com.Trojan.PWS.Steam.37210.2413.24955.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          avp.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          0001.docGet hashmaliciousDynamerBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          PO_983888123.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                          8Sb3Ng0nF3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                          • 172.67.75.166

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          No context

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):936960
                                                                                                                                                                          Entropy (8bit):7.521887431067791
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12288:tQEfkgrq80neiZWArK6ye6wxM9b8QraUO3dVwJ3rvcWZK6YFdFzlEh6pN1PuuQvp:mQkg280uArzD6o4I8OeDpMNEBt
                                                                                                                                                                          MD5:360F5B40A6CBC8F99639D6989A3FD0AC
                                                                                                                                                                          SHA1:1709413509C4DEDF9E0452D818A5991C0740CA86
                                                                                                                                                                          SHA-256:09C9E09EF1371E9BC9292ABCE47D8BD0FDAE9CB9FECC42CCFD51F983F43E2BDF
                                                                                                                                                                          SHA-512:A2B273EC5AD9555255F0437388DDEA538290C8F4E0A3DC3FCC058C1D28E5BB45C4FECF1A44C644C8A2D87659305EAB7036432C31906CF6F707A1D77B9A82B75F
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                                          • Antivirus: Virustotal, Detection: 51%, Browse
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]..R]..R]..RC.,RL..RC.:R?..RC.=Rw..Rza.RX..R]..R/..RC.3R\..RC.-R\..RC.(R\..RRich]..R........PE..L...,`4e.....................$......V.............@.................................L...........................................<....`..................................................................@............................................text...}........................... ..`.rdata..Nf.......h..................@..@.data.....~..0......................@....tls.........P.......0..............@....rsrc........`.......:..............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_95e9fd82e24f30d63ecf9d1f80f114c364d48515_a4a3a431_28c10e55-a34b-44f3-a332-bed6255c7202\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.8957887347289039
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:N9wuzq8BG056r96E6jjzZZrVNzuiFGZ24IO8oj6t:3FqYt56rwjnzuiFGY4IO8L
                                                                                                                                                                          MD5:F3EDF0EE78A750FB0F10F7414E0CA591
                                                                                                                                                                          SHA1:AFDFAEC96AC57CF53804F2152922BAAC6047EFB0
                                                                                                                                                                          SHA-256:D0FD8EEFA09C0F54A70A28EB08A8A17EC1393AAEEF1F448F44E4762E4772BDC7
                                                                                                                                                                          SHA-512:9E135E8B6BD307E786F66D337ADF5A459714AF31D57C791B25135EE7934199F1408BE3334454E00F1C2D609145D9E18D75CDB684A11D91837C2AC82B452E9F11
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.9.3.8.3.5.7.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.c.1.0.e.5.5.-.a.3.4.b.-.4.4.f.3.-.a.3.3.2.-.b.e.d.6.2.5.5.c.7.2.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.5.c.d.f.4.1.-.d.6.2.1.-.4.c.6.5.-.a.6.6.0.-.3.4.1.3.a.a.b.4.7.6.6.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.c.4.-.0.0.0.1.-.0.0.1.4.-.0.5.a.6.-.c.e.e.7.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.8.2.1.d.8.4.d.5.b.b.b.8.8.1.9.8.9.6.d.f.d.1.4.5.f.f.9.7.f.4.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_95e9fd82e24f30d63ecf9d1f80f114c364d48515_a4a3a431_9b78097f-fe58-40b1-88d0-6e5a0e0057c7\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.9156883471295874
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:FUJouzH8BG056r96E6jjueZrM2zuiFGZ24IO8oj6t:aHYt56rwjrzuiFGY4IO8L
                                                                                                                                                                          MD5:A4F73F98779E9FBF87A2F8E237B45453
                                                                                                                                                                          SHA1:8992500BB70E60B6DF75A0094D4120493BA48005
                                                                                                                                                                          SHA-256:6738193A3815FC7BA333C72D99AA8219E708F2D740EAFC48F954C15FD4A6AA5C
                                                                                                                                                                          SHA-512:97CB79FFDAF53F5EAA9D0EBF8A59E1F5594FC0FA8B01E33375C1D8CADB0AF76366B89110DEA1981D4DBD258CB73F79B8FA4EFF710162F3A4527AF778F3C9BB87
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.3.4.4.8.2.3.5.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.7.8.0.9.7.f.-.f.e.5.8.-.4.0.b.1.-.8.8.d.0.-.6.e.5.a.0.e.0.0.5.7.c.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.a.a.a.7.e.9.-.e.3.0.f.-.4.f.d.3.-.a.c.7.1.-.b.5.8.4.e.3.5.1.9.3.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.1.4.f.c.-.a.0.e.7.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.8.2.1.d.8.4.d.5.b.b.b.8.8.1.9.8.9.6.d.f.d.1.4.5.f.f.9.7.f.4.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_95e9fd82e24f30d63ecf9d1f80f114c364d48515_a4a3a431_cc2c03f1-f312-454e-8eb4-b645afa2396e\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.9427159988350975
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:9ouzt8BG056r96E6jjueZrMVzuiFGZ24IO8oj6t:HtYt56rwjYzuiFGY4IO8L
                                                                                                                                                                          MD5:CCC2128D00D522F9C36AC3A6238988D2
                                                                                                                                                                          SHA1:6D2E20D162B643BA079896490C8C6E9511EF3A04
                                                                                                                                                                          SHA-256:9F81F59A5AA541D23548C190D68E97321E24824A0B37A305A8C6E627CF397194
                                                                                                                                                                          SHA-512:B69B8F5484C5BB5055185B907F6D40A6F848433136367C2D10E91DF4E155641FBA69886F9B1F5FF76C1DF40C1348299997213A025B7D3A9E073F9DD1B309F78A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.3.7.7.7.1.0.3.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.2.c.0.3.f.1.-.f.3.1.2.-.4.5.4.e.-.8.e.b.4.-.b.6.4.5.a.f.a.2.3.9.6.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.1.a.d.7.9.9.-.8.b.c.b.-.4.2.0.b.-.b.f.8.1.-.8.7.1.b.8.4.f.a.5.e.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.1.4.f.c.-.a.0.e.7.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.8.2.1.d.8.4.d.5.b.b.b.8.8.1.9.8.9.6.d.f.d.1.4.5.f.f.9.7.f.4.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_95e9fd82e24f30d63ecf9d1f80f114c364d48515_a4a3a431_cf7a9a92-7bbd-4d37-adee-2a3c5a946a38\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.9025288425799632
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:Iouzo8BG056r96E6jjueZrMyzuiFGZ24IO8oj6t:ioYt56rwjnzuiFGY4IO8L
                                                                                                                                                                          MD5:DEFF54C95C048212144028702FA2B75A
                                                                                                                                                                          SHA1:BA7F8E36D6F20455839B732D66638F7A304C5982
                                                                                                                                                                          SHA-256:9F2A1B66D26EEEED2F9495D7D470B3F92C0BE0D554B6DD82955C047AEEC9D03E
                                                                                                                                                                          SHA-512:021FFF61B134BD8A0D752D478E4470B2B57DCFA4389D50724D307A12372E3009A3ED332C4E51F0ACDA915796FEB55BD2EA4F7B1BE91D56281F17ED16F2915A11
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.9.1.7.9.3.4.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.7.a.9.a.9.2.-.7.b.b.d.-.4.d.3.7.-.a.d.e.e.-.2.a.3.c.5.a.9.4.6.a.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.8.7.6.b.6.7.-.6.d.8.7.-.4.6.4.4.-.9.7.a.f.-.e.a.8.1.1.1.7.0.f.b.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.1.4.f.c.-.a.0.e.7.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.8.2.1.d.8.4.d.5.b.b.b.8.8.1.9.8.9.6.d.f.d.1.4.5.f.f.9.7.f.4.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_95e9fd82e24f30d63ecf9d1f80f114c364d48515_a4a3a431_fb5424f0-075f-453b-baa8-309a8f4c4bd6\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.9092736255827175
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:Yb9wuzZ8BG056r96E6jjzZZrVTzuiFGZ24IO8oj6t:YRFZYt56rwjpzuiFGY4IO8L
                                                                                                                                                                          MD5:48738C1DF4100CED623EC4CCF739C0E3
                                                                                                                                                                          SHA1:B0E1B0DF95650EB1B582693DA3319AA65E466CCB
                                                                                                                                                                          SHA-256:CE25B07C45BA3CB4E3227DE93A9B51C153EC669331F81755B5F715F923A78BD1
                                                                                                                                                                          SHA-512:09D45484A2DD3835B319883D03E230A8CF1606BAE1561590EBFEF8873166B90951BB30CB428EEB72F8D11784F0FFAB13AF04C352B9194D41ECC2A8B2CEE8ACA5
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.3.4.5.7.0.0.6.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.5.4.2.4.f.0.-.0.7.5.f.-.4.5.3.b.-.b.a.a.8.-.3.0.9.a.8.f.4.c.4.b.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.4.a.4.b.4.3.-.b.f.1.6.-.4.5.f.2.-.8.d.d.1.-.c.a.f.d.d.e.f.2.7.1.9.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.c.4.-.0.0.0.1.-.0.0.1.4.-.0.5.a.6.-.c.e.e.7.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.8.2.1.d.8.4.d.5.b.b.b.8.8.1.9.8.9.6.d.f.d.1.4.5.f.f.9.7.f.4.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_21832f93-29c9-4fb6-853b-2c5ea1086e91\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.923236084844384
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qyvl2vjsOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEVsJ/7:6j+G056rQjueZrMSzuiFGZ24IO8r
                                                                                                                                                                          MD5:5CDF0BEE358235B67A8E2F31911ABD9C
                                                                                                                                                                          SHA1:9A80C562218336357EB0EE06CDBCE9F6CFE4C68B
                                                                                                                                                                          SHA-256:D16C39C941C83167D1E384A5D2C388C6615A162C925EC74D33DB86559F95550B
                                                                                                                                                                          SHA-512:59532BC7325A54B698CCD06F6087A993C3320E8E0679097B6CEEFC3F77B9377E4457887CDD5F337C4EDA68CF1BB789B7AE965E0F9920898B695524928ACC34D3
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.2.2.7.7.7.1.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.8.3.2.f.9.3.-.2.9.c.9.-.4.f.b.6.-.8.5.3.b.-.2.c.5.e.a.1.0.8.6.e.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.2.5.b.a.8.8.-.2.8.a.a.-.4.d.f.7.-.a.8.4.b.-.7.9.b.0.d.3.a.6.2.b.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_485db384-2eba-4d4d-8d3d-a09c26b672e3\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):1.0363545631867352
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qr2Fr8vhsOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEVsJ/:ih+G056rQjueZrM6ndzuiFGZ24IO8r
                                                                                                                                                                          MD5:A98E3186846C8E12990DD49A4B459AB9
                                                                                                                                                                          SHA1:930566622DB592E615633D3582334CF01C92A6DB
                                                                                                                                                                          SHA-256:DBC9962A97BF66F64DACC295C03A8372EE3E23C75F1A6EF2D519226A1DA112C4
                                                                                                                                                                          SHA-512:872AF36BB1F03581DE3BCE1C5FF6033EB1EE2C235C18536BEA27B3827A85E5EE03F91CC5400D1CD7D9758E07C149336FB0DE3EDA960C0DA0284C6890B95B409F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.3.4.1.9.7.7.7.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.5.d.b.3.8.4.-.2.e.b.a.-.4.d.4.d.-.8.d.3.d.-.a.0.9.c.2.6.b.6.7.2.e.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.6.5.7.d.c.8.-.9.f.5.c.-.4.1.3.c.-.a.f.9.a.-.1.5.b.c.f.4.f.c.e.7.c.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_4a5afd04-2bd6-4f10-af0e-99ba73014f03\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.9964946639735693
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qlfv0sOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEVsJ/E6/:w0+G056rQjueZrM6BzuiFGZ24IO8r
                                                                                                                                                                          MD5:56271ED3BA85C852BF2A8F7AA0558812
                                                                                                                                                                          SHA1:D83EFF6E44EB232CDA5275F0B9278AC551F8AC64
                                                                                                                                                                          SHA-256:E60BE5BF2B3427BBB27E690FBE08BBB52FEB87D0D7F868F6994B62C05ED22692
                                                                                                                                                                          SHA-512:9A24F978EAC0C4926145547823B47B14291EA8CD24A93BB773759A8BFDD4B9E4ADAC822F54932BB556E473AE95CD1050A1AD78CEB13B9785E20E60DF342F92FA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.5.7.0.4.4.7.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.5.a.f.d.0.4.-.2.b.d.6.-.4.f.1.0.-.a.f.0.e.-.9.9.b.a.7.3.0.1.4.f.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.1.3.7.5.0.c.-.a.d.a.c.-.4.d.0.8.-.b.3.c.a.-.1.8.1.d.0.0.e.6.9.6.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_525519ec-2ea1-4b69-9897-9f258e363b41\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.9095795929601979
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qkQtsBhnvYMsOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEm:dXvh+G056rQjueZrMgzuiFGZ24IO8r
                                                                                                                                                                          MD5:01A9899CA74CC7AE91FEDEB2811F8147
                                                                                                                                                                          SHA1:093EF038290478DDD99A749B804DF04E1677CF87
                                                                                                                                                                          SHA-256:6F554D43692B385B285481FAF0781AA4524FBA6C308B959E5932479235601CB5
                                                                                                                                                                          SHA-512:6F1D0F9DAEBFE6F5623861138D090F6D2612E5508AAB4BAEA6328097BE5606414146EAF0C0664ACF475007809B19F5F176F2CADD5D51887EAC26C0FFB3D6121A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.0.7.2.7.4.8.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.5.5.1.9.e.c.-.2.e.a.1.-.4.b.6.9.-.9.8.9.7.-.9.f.2.5.8.e.3.6.3.b.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.3.d.b.b.7.2.-.b.d.d.a.-.4.0.8.2.-.b.5.0.e.-.b.5.1.d.7.e.9.4.e.a.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_71552c83-7196-462b-bb67-0c5e7fdbffcf\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):1.023548264402323
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qzZdnhvksOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEVsJQ:6pk+G056rQjueZrM6jzuiFGZ24IO8r
                                                                                                                                                                          MD5:518B40394EE2D5F7A8ECCCA01C714337
                                                                                                                                                                          SHA1:D510D362434975F84DE6DA70EB2C5F98CD8D45D4
                                                                                                                                                                          SHA-256:633A2F5AB47FC3074666BCADD985CB205059184828A10BFF51F426386079539B
                                                                                                                                                                          SHA-512:DA39DDB9E4B63F4097C798FBBBBB9AF36BB9F3A03AD60A37B5FB51C3A04B837D9A740A91B2B1E3CF4044BBEC7D8FCD71F7EBECA5043D31A42702459B7AB8CEFF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.6.7.6.2.5.9.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.5.5.2.c.8.3.-.7.1.9.6.-.4.6.2.b.-.b.b.6.7.-.0.c.5.e.7.f.d.b.f.f.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.8.7.6.d.4.2.-.4.0.c.6.-.4.a.6.8.-.a.6.c.f.-.f.6.5.6.8.9.3.5.2.7.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_b2b792f5-2149-4ab0-bd34-7450e715b1d5\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):1.0233366804792066
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qknTHvhsOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEVsJ/J:lh+G056rQjueZrM6jzuiFGZ24IO8r
                                                                                                                                                                          MD5:92784BD8ECD13818DE2E0626C2B5F553
                                                                                                                                                                          SHA1:701399DFEC8F82C2B3D28F0482CB9188CA9CEE2F
                                                                                                                                                                          SHA-256:1CF0E7063F4081F22C276AD3A56475C6613391A9EF7FDC2C00101321FC3D8D73
                                                                                                                                                                          SHA-512:DF8DC543C9BF48B0EC86C9634C9353652DF8C085331B79FF17E443BE42BA6E05A03AE72957BC1261BEE8AB6D0586B863B92DBD1100D515B5040317E5C7CB5D74
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.3.0.5.3.6.8.0.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.b.7.9.2.f.5.-.2.1.4.9.-.4.a.b.0.-.b.d.3.4.-.7.4.5.0.e.7.1.5.b.1.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.0.5.a.b.5.e.-.5.b.c.8.-.4.b.b.1.-.9.3.3.1.-.0.4.3.9.8.5.3.f.e.0.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_c8752875-d89b-4c62-bfee-0f8060f1441b\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.929720981548613
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qOtrsjvDsOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEVsJs:2rD+G056rQjueZrMwzuiFGZ24IO8rq
                                                                                                                                                                          MD5:05E5237617FD72F148031311507D8C28
                                                                                                                                                                          SHA1:26F5D87260E179DB422EA2D55E939C06E7F19C30
                                                                                                                                                                          SHA-256:46325ED48B65C1F78101864E4D09C15312B0E7BBF3C24C4540C72A8E8B305BF9
                                                                                                                                                                          SHA-512:7A58761B9B6E765D92B366D699C9186E33D7F1C51AFB2E0B6A2198987DC413ED3851C14EB2C2270BB42AEEA46EC0BA3DF2A8E3CDD6844BF3B5AD158B9EA5E840
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.2.9.1.9.4.5.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.7.5.2.8.7.5.-.d.8.9.b.-.4.c.6.2.-.b.f.e.e.-.0.f.8.0.6.0.f.1.4.4.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.4.4.a.9.4.f.-.7.4.e.c.-.4.2.c.c.-.8.0.8.d.-.a.c.d.b.3.5.6.9.3.e.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_f5cbb6ed-3531-44ea-bd4f-e14b4973d104\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.949535079453183
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qUnFovhsOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEVsJ/9:Tah+G056rQjueZrMFzuiFGZ24IO8r
                                                                                                                                                                          MD5:1B569B451AC5C4A8D0767868F43AD104
                                                                                                                                                                          SHA1:57C6F8C4C84813B3DA97F0A34E8D7D1A074D1893
                                                                                                                                                                          SHA-256:721F56DF15C20DCB5CB33CD23642FEF4D0A457700D6C86FEF220BAF83BE3EACB
                                                                                                                                                                          SHA-512:00157E435D5D79620BA932363E95D0A0C6C20F3633175CE124AF6369FC808C53EACAC46C9564E2CDE895E6F823A891BE3D75EF117AF28DCE24FDC8E9BE328D9E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.4.6.5.0.2.2.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.c.b.b.6.e.d.-.3.5.3.1.-.4.4.e.a.-.b.d.4.f.-.e.1.4.b.4.9.7.3.d.1.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.6.5.7.0.5.d.-.8.2.b.e.-.4.8.e.4.-.b.b.3.4.-.7.0.8.c.e.7.9.4.6.3.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_6de23016204281d0a81f392e15bb30aed1e0184d_c64a53aa_fd5f25d6-0197-4780-8743-d608c513d0c0\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.9494902071248932
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:qFVNvisOhqjoA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1EoqzIPEVsJ/Ed:A1i+G056rQjueZrMFzuiFGZ24IO8r
                                                                                                                                                                          MD5:12A9887A3AFAA5ED6F626B6AC8FC6A97
                                                                                                                                                                          SHA1:2BBBB1ED111915D429B2A3BF08BBC6061FF8C74F
                                                                                                                                                                          SHA-256:F379585F99E81525C153D75B6705E1FF42FCBB3B3F90A5A8BF0DA7569BE5BB26
                                                                                                                                                                          SHA-512:5913D3C942EE16D2D8B2F9A56AB76A0A53CFCFDE5E2FCF3D2F4F70758EE5E06E949619561D7BE5AFA869DFDF7540DD1F27FF2C4AA03452A518AA738F615D05D3
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.2.3.8.5.6.6.3.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.5.f.2.5.d.6.-.0.1.9.7.-.4.7.8.0.-.8.7.4.3.-.d.6.0.8.c.5.1.3.d.0.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.3.f.1.3.c.4.-.5.8.7.1.-.4.3.9.2.-.a.4.1.7.-.1.6.5.5.e.6.7.1.7.6.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s2dwlCsA95.exe_d6bfd67ad42f3cffc67d0fc89fa0bef697f58e_c64a53aa_b5faa5de-0809-4ef1-94ec-ab31d9b4a399\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):1.0430740380337236
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:WB+W0JsAnbcA/jueZrM6nkzuiFGZ24IO8r:WB+9JsAnbcA/jJkzuiFGY4IO8r
                                                                                                                                                                          MD5:B142D2D764D45DD50296385616538F5A
                                                                                                                                                                          SHA1:A34E18475FC1CD9D207C680B87E64745B90E4426
                                                                                                                                                                          SHA-256:CEE3A425590EC8A7BF146EE84D7242C29D4EC1CBACBC781E0B41A4032444B932
                                                                                                                                                                          SHA-512:C07A68A80B07BF62F59264A30345A3F01258AA4D2734BFE6FF547D82C0017F3B0BC1757FF08C6AB9C54518D00E5DD0544CC370D7B1D2569F369CCB895DB992D4
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.3.3.7.4.9.0.0.5.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.f.a.a.5.d.e.-.0.8.0.9.-.4.e.f.1.-.9.4.e.c.-.a.b.3.1.d.9.b.4.a.3.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.4.0.d.b.a.b.-.1.b.8.e.-.4.a.b.b.-.a.d.9.a.-.2.a.c.f.3.1.6.7.3.3.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.2.d.w.l.C.s.A.9.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.c.-.0.0.0.1.-.0.0.1.4.-.8.a.9.8.-.1.0.e.4.1.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.4.6.4.b.8.6.e.a.f.e.9.2.e.8.b.4.7.9.9.c.1.3.b.a.1.4.f.1.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.1.7.0.9.4.1.3.5.0.9.c.4.d.e.d.f.9.e.0.4.5.2.d.8.1.8.a.5.9.9.1.c.0.7.4.0.c.a.8.6.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.s.2.d.w.l.C.s.A.9.5...e.x.e.....B.o.o.t.I.d.=.4.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1135.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:12 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):119270
                                                                                                                                                                          Entropy (8bit):1.991863016178907
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:Hv9Ww8xTvpt8lhfLok7E7iCOwm65q8g0N/:l4xGDok73Jn65vgq
                                                                                                                                                                          MD5:E196AF49EFC3EC92FE355CF33BCEA4F5
                                                                                                                                                                          SHA1:C09FE160E31D25F890070E0F1D490C5CAB239B68
                                                                                                                                                                          SHA-256:68B00058432E130ACD6E0AA7C465BA3A12B3F26B2C941F91C73369E2E909C481
                                                                                                                                                                          SHA-512:C01998BF870BC32CF6967FAEA9F39222EAF173388040FDDB816FDC36B2018E88711E9FAA57321E6E6882ADAAE06C4CE59C68FDC6D03EA4E12DBBA17385A895F2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f............D...............X.......<....#......d...xQ..........`.......8...........T...........xG..n...........T#..........@%..............................................................................eJ.......%......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER185.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:06 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):109646
                                                                                                                                                                          Entropy (8bit):2.1328256827604224
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:RRazgz0WjuskxTvvSC5lq6zeQVBwYbqnsmM4681BpJdhxZlhZGbVeDw47lzQgQsN:mGzuskxTvR5lq6C8wY8M4680mDNSW
                                                                                                                                                                          MD5:FC6C10A8AC7E6E41A89981AE191EB5C9
                                                                                                                                                                          SHA1:1E0B9476361B6EFEE787A24E43059F3525F6D97D
                                                                                                                                                                          SHA-256:9F0BFD7E25D710BE65CF82B43AFD9769A81D6CDC6CEC68E8A5F806A03FB6FDE0
                                                                                                                                                                          SHA-512:FA1A9DBD66999C8CD593F491DBF604F01FD226250563462822EAC4B1CAC33768DE5889567710897798FD011B802ABB571DDDC3A37AD30AB1164D181ECDF625FE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f....................................<...."...........K..........`.......8...........T...........xG...d..........."...........$..............................................................................eJ......x%......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER19E1.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8370
                                                                                                                                                                          Entropy (8bit):3.7042560101848974
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6Tl686YEIwSUa0gmfDQpBx89b8MsfC0m:R6lXJ8686YE/SUa0gmfD58ffA
                                                                                                                                                                          MD5:ECBE598101A419AA5BFA8F821092CFDE
                                                                                                                                                                          SHA1:78A31B84E53E6F04F762B595B27D8D2DA59AA699
                                                                                                                                                                          SHA-256:09FF7B2BC419BD66715400D5ACF34559E2C3A93A5A5FDFAFCB9421AB6DF1C02E
                                                                                                                                                                          SHA-512:1232A331CFAFD9D17B458495FBE837516579AAA16D0F6EA73C6F68276AB33527117FD14AC2CE5033B1866BD5AB42E3B6530B03B22B1626FD354C59D9D9531FBC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A10.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.487946693007528
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYJdVYm8M4JZCFbdsn+q8lN5/gC5id:uIjfgI7eq7VmdkJUCsZgC5id
                                                                                                                                                                          MD5:EC881FB80DC31E49F9FD8CD64B32A01B
                                                                                                                                                                          SHA1:32EC4EF9714043EB62FFBD669F466137E1AD9C04
                                                                                                                                                                          SHA-256:37A063EBF4CA49604EA5205B6A2628DF9288D8EFC6AEBFC38A0C619571A81074
                                                                                                                                                                          SHA-512:9D65E94D1B29EAEFF75505198E78F75E5236A5456E7A0A018B1741F6514A14C44453578ABD67D139A53CD1FAD56053477279A3B84E0BE77D4759418E67E8889B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EA2.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:14 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):127090
                                                                                                                                                                          Entropy (8bit):2.0222435082054466
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:jhx/gxQx8xTv9W1hGhQmS+lhvzCPctXqN8N8gNnKMt7Lg4KY0BbUuy4+:jhFNx8xTvs46+lhvmOOgJKMZLebU34+
                                                                                                                                                                          MD5:8A0BB07B8A97A11CBC3AB18580D97F75
                                                                                                                                                                          SHA1:9980F381ED387B99BAC92B1C2D495C83816511A0
                                                                                                                                                                          SHA-256:ABA8720A50D3C0FE82052DA7E6C89E908428E01E489B4DD23DA8AE3B4C4388C6
                                                                                                                                                                          SHA-512:7A262CC5A6A8B4A0E4709C16D760D2F40D8D77A7EC3BECD36B246F3C9188FD611CE67986ADB32B02C818D398A215F220C6E4D25FD41BCFE5EF382A5A30F5218B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f............D...............X.......<....#...........R..........`.......8...........T...........@H..2...........,$...........&..............................................................................eJ.......&......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FCB.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:15 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65044
                                                                                                                                                                          Entropy (8bit):2.226639907033892
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:g9+5uJxTvszJ2Cho7ear7crVqV6EgfFH:pEJxTvswCOHXmNH
                                                                                                                                                                          MD5:F91D081BABE9F7CFB0E5CDFE09641DAD
                                                                                                                                                                          SHA1:28CC3CA041A93E8EE4FB2C8F53E66966C26CFEB5
                                                                                                                                                                          SHA-256:3E2914C9BB0ABBEFAAE65EB645A4CD98262491780F1D031EC8D84C084370701F
                                                                                                                                                                          SHA-512:8CC375AFE8AAE4F0F8AC8C970B18012DC08FF091E74E4DD4517911B2FB262AE5A8DC2EF2C09F3525254534FEF70E2A21B81C82A0198D26249B6FFDCF2CDB0B41
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f....................................<................4..........`.......8...........T............#..d...........D...........0...............................................................................eJ..............GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2048.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:15 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):64708
                                                                                                                                                                          Entropy (8bit):2.234766363955331
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:Be0HBSaFTv7dzSiGOD4r1jrV+ibp587fk:RhSaFTv5IOU5s17
                                                                                                                                                                          MD5:3044CF3B81868BB7F3055AAD796B283A
                                                                                                                                                                          SHA1:628ADD4BC8F30539CF2432B52A8D897A6EB836CD
                                                                                                                                                                          SHA-256:501418A97A8F3E8B0056647C0B243F5D153A54748CA30ED4BBF974664FBD4A7E
                                                                                                                                                                          SHA-512:AE84AE92D2354738DC9840F958A3142BA51E2A1BDF3F4DBB919AD25106B0D191B83C63A3DE89FB84215F082FC7FD2D3244160F75B7A95F40C403131163937502
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f....................................<...........T....3..........`.......8...........T............"..,.......................................................................................................eJ......\.......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2182.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8370
                                                                                                                                                                          Entropy (8bit):3.7032243223006276
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6T/6O6YEIESUAk+gmfDQpBx89bTMsfCRm:R6lXJW6O6YELSUJ+gmfDJTfft
                                                                                                                                                                          MD5:EF3FD3C7CE75F564DD0B350F7C257D6D
                                                                                                                                                                          SHA1:E7648EA335DBF57E104D90DBD1BBE7FB8BA64B8E
                                                                                                                                                                          SHA-256:11550223D0F9514D01C0CEE8EF2B9544F3752F16552678DB39B9B7E188EFA225
                                                                                                                                                                          SHA-512:819CBAAEC87F422B35EF3FEB7FB8F9943F9CCB47C995BF200EDD2D8D598C5F5A7AA934ADC159E5B9F904F3DCEB801D787FB2D5F8C27D63B1BFD824486461547E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER21C1.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.487008140678409
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYaYm8M4JZCF7N+B+q8lN5/gC5id:uIjfgI7eq7VaJCgsZgC5id
                                                                                                                                                                          MD5:F8336B17C62D8C851206FA3F48C7F044
                                                                                                                                                                          SHA1:DAE1262E178A57AA15290B13A43E1C62A451509D
                                                                                                                                                                          SHA-256:C0D25AEB1B8744DB6C1190F5CF28AABD396BA7F80EBEA40A8081D60ABAEBB857
                                                                                                                                                                          SHA-512:168ABF55A74D7174335B02A3425105DCCBBF8883E51A96696A2EAD026754EA8A267EF14E4B75079EB123617252387B56C918F79EF4A6E9640FA34E039E128870
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER22CA.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6340
                                                                                                                                                                          Entropy (8bit):3.7272768902450024
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:RSIU6o7wVetbhIu8A6cYiKHFXIEpgaMOU289bK8sfsOm:R6l7wVeJeu8A6cYiaQpB289bK8sfsOm
                                                                                                                                                                          MD5:0699B0B5F37E1693A8628C2FEB0979F0
                                                                                                                                                                          SHA1:F4B6FB8D9E96C749128B95ECBC0B792E9BF2C633
                                                                                                                                                                          SHA-256:24A6D01D612B74D50969DDC3C860B591869DD09165BACCFC6E4DB87F2179E0BC
                                                                                                                                                                          SHA-512:CD4DE0BFD2054B7B0024B408348B686DB993F8F4C83CF630712C2E51FDBD6486A6196C26FEB4E7E7CCE239CE14156AC7A2909A77B556C7B39EC994B6590D2D6F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER22FA.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4609
                                                                                                                                                                          Entropy (8bit):4.495063193477198
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYPYm8M4JpCF+0+q8nnlCJOCTrd:uIjfgI7eq7VzJQmyOCTrd
                                                                                                                                                                          MD5:5052CC1B75E6A33FCAA41ED2C5E6A885
                                                                                                                                                                          SHA1:CF86D0405CE3B743E6BA62425847F9CF31605507
                                                                                                                                                                          SHA-256:608B6D862E2E7AC36EE09DB3B979CA11EF64D37DED7B6CAFAFDFCD557C3649C7
                                                                                                                                                                          SHA-512:2AECE4586A6A95E5F2A7093B9F0C0C80B6BB7AAB91146F776D13D97FC9D4F4213C7D2D368F81F526B6680AE4992FCF9151DE86DA870AAC7C0D94C8271D4E8E69
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2318.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6340
                                                                                                                                                                          Entropy (8bit):3.728220803162181
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:RSIU6o7wVetbwuC6xLneYiKHFXIEpgaMOUJ89bKRsfsOm:R6l7wVeJwuC6NneYiaQpBJ89bKRsfsOm
                                                                                                                                                                          MD5:EF30C1B132C357B533FA6BB45FA21B4B
                                                                                                                                                                          SHA1:6AB73BA373DA5260571AC46B90CB5D4E80EFA8FE
                                                                                                                                                                          SHA-256:F21D946FEC1A5CB09342161EC4B594D530064FA5D85995036CC10B16893679D5
                                                                                                                                                                          SHA-512:6B00E94CD20E8D141BFFC27A0D7E834E3948265943970273FE1AC4C7A8A88396D8372DE655C1571ADCAB7815118C07B22B62E5848D7526C144B9818F9E02B7BE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.4.0.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2367.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4609
                                                                                                                                                                          Entropy (8bit):4.497186093663939
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VY6Ym8M4JpCFBe+q8nBCJOCTEd:uIjfgI7eq7VaJdCyOCTEd
                                                                                                                                                                          MD5:99E8584CB9B841D633A3180A964825E5
                                                                                                                                                                          SHA1:C75D59EEDBB2797291E9386A9BEF7FF4CA37F65F
                                                                                                                                                                          SHA-256:8B630A3F5D71BC6158D2D3D57FA24B0836B05F7C401AB0A55B37AC646F6DB1B8
                                                                                                                                                                          SHA-512:1D67A4FE8A24847A8AABA908F08753DBA67306837EFA8E13D517C121847BA29985EB279B5700FDBDBDCB3C0E36222CF84AF35F0EBFD14C02CBA32BD79285C8DF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER242.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8370
                                                                                                                                                                          Entropy (8bit):3.704967227011704
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6T+6a3a73e6YEIgSUOiRgmfDQpBG89bwMsfSwm:R6lXJH6aK7u6YEvSUOiRgmfDIwff0
                                                                                                                                                                          MD5:D20B3C9BD043A6381DCBC2948DFAA762
                                                                                                                                                                          SHA1:B29768924BF42BA4A95F47044EA3EB5A38281D86
                                                                                                                                                                          SHA-256:5479945B6DC2B13AFD9DDF9C36AF2284B4224A1E2FAEA2A75886D194D652CCF6
                                                                                                                                                                          SHA-512:B3182E52EDC4597ECA25DA5A4D663D88E0F75589C3B06E6301FF2DDCEF7AF2F33CF416ABB4CFFDF13788CD87FB3B0CADD1C7CE79D3E80EDF4F92F1BAD9A7E6B4
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER281.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.487398645722198
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYOYm8M4JZCF34+q8lN5/gC5id:uIjfgI7eq7V+JQ4sZgC5id
                                                                                                                                                                          MD5:349C41C204D864995A0D434B4D38586C
                                                                                                                                                                          SHA1:859400F4F787B65709A69895526360CCC6539936
                                                                                                                                                                          SHA-256:7723DA2B2F6A4928F7214231773E8B2A2470BFCD054A7D0FF75479396A94524A
                                                                                                                                                                          SHA-512:C486CC222F1A80924B09A689BE64A7512EB2440497FF5FAE54CE0CE26A7CD8726438716E2071609085BD944DF4898475897B854C884EE9C7E2E5584F9828D7F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C00.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:18 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):119172
                                                                                                                                                                          Entropy (8bit):2.0248552021695487
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:kLyGc8uXjM9xTv0fBSHlhFzJrbQIVf+taqoCk+OxEHc3ET2zKjd7Y:keP/jKxTv0foHlhFNzV01O+Hr2zY
                                                                                                                                                                          MD5:3FAD0A9DE53F40A8127ED236FAB7B7AF
                                                                                                                                                                          SHA1:41354A437C73AE8B3F71B3FC1AA9CB76097C0505
                                                                                                                                                                          SHA-256:559BC504ADE0A1EABFF866B301D045834E59A2D39E5580906AAA535D6294C9F4
                                                                                                                                                                          SHA-512:9BCEF7BF8ED9BF3F981CAD504A5E896CC61F81DEA747369FAE1A5A63CA30D6DA7BB425CE319F18F47E3F33E4C5673F297FB6DEE06F90DD7D11E722D2054CC94D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f............D...............X.......l...\$...........S..........`.......8...........T...........pJ...............$...........&..............................................................................eJ......L'......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CDB.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:18 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):76554
                                                                                                                                                                          Entropy (8bit):2.0739533823762852
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:DOeQcDwxTv0zJ97M2kbcrVAF5e/rvFZflE:DOHZxTv0M2kbdFoHa
                                                                                                                                                                          MD5:5AF75FEE537E8F30FF094939DB0574E1
                                                                                                                                                                          SHA1:B16418F7179E218BFC1FE6D18C400FA4F5EA1D5C
                                                                                                                                                                          SHA-256:E1740FBCCAB8783CB3EE5D8836F11AEB895C286395B0C9B7F9CB452FBD778D0C
                                                                                                                                                                          SHA-512:151BA5200E081201FFC4C0DDF3D2A9E6085464E51568AC93256A43C37B31853ECA98E8C5500855FDAD8B2D6FE35618AD40BD3CDA0DCA65A70DC3F7763B927E46
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f............T...............h.......<................<..........`.......8...........T............$..............T...........@...............................................................................eJ..............GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E24.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6340
                                                                                                                                                                          Entropy (8bit):3.7277245150033864
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:RSIU6o7wVetbhIuS6YYiKHFXIEpgaMOUY89b/8sfbv1m:R6l7wVeJeuS6YYiaQpBY89b/8sfbv1m
                                                                                                                                                                          MD5:FA29052E1A75B574A9B5EF5BB46A88BC
                                                                                                                                                                          SHA1:C51CFF3F0087E62F333FBB5317F8B94A09EBDE69
                                                                                                                                                                          SHA-256:626B6FE5300EE15169C13B20CCEC05D7C7FC26833B9163550C00604F0C203C45
                                                                                                                                                                          SHA-512:80DC6EC97B3B3A1D41573B2505A287A396D764911BA1EB160F887C6A273D7FB73BD02E10616FE89CDB43B33843B93BA3DEF9456F13FD82814577CBCC336D4A7A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E43.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8372
                                                                                                                                                                          Entropy (8bit):3.700664402021483
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6TS636YEI3SUAHpgmfTaAjA3pBRN89b/MsfA1m:R6lXJb636YEoSUmpgmfTaAjAJq/ffP
                                                                                                                                                                          MD5:390922E68DEAB1A41B7394457318D432
                                                                                                                                                                          SHA1:220E9A444E8A1B2EF895AAA370A205F8A289CCEB
                                                                                                                                                                          SHA-256:BBAB635ABA21B2B1133FC69E2A4A75E391A42044DBC5484D08D229E2BEE0D4EE
                                                                                                                                                                          SHA-512:F53DF2017C387E09F8269686F6BB391C622AD057A40E9E5B7E9463E4BDF479184FAA06C39AF410109B23DF3BEFD9CA0F1AA8692FB15B91A3AD3D52BE290F37ED
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E83.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4609
                                                                                                                                                                          Entropy (8bit):4.49840037169805
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYvYm8M4JpCFgm+q8nnlCJOCTrd:uIjfgI7eq7VrJ7mmyOCTrd
                                                                                                                                                                          MD5:5EAAD954582DEFEEED02D7E1CAD4E5AB
                                                                                                                                                                          SHA1:B4594E4152B30FFA4F62FAF1B57C75255E22AE84
                                                                                                                                                                          SHA-256:9266EE8E489EE0B818A462A0836CC007B6D9F7F4CA38E02584D75A23FF0383D3
                                                                                                                                                                          SHA-512:45D6F23CA9CFBA9FE512A25D655D7B441762B340460E129BACE12FC5714642024F0CEFA2B6928F44ED879181CBC804AFBF487F329C14D8FAEA89CD4FF05C13EB
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2ED1.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.48498672876319
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYdYm8M4JZaFT+q89N5/gC5id:uIjfgI7eq7VZJS0ZgC5id
                                                                                                                                                                          MD5:90151CEBC5A18A3160AB5E16A6D3F56B
                                                                                                                                                                          SHA1:6443491E5FFB4FD2273F74D3730C6EA447075C29
                                                                                                                                                                          SHA-256:6A9B1F0F88E6919540A32676988E6F102A944D486A1344D59E62DF0D3ACFE849
                                                                                                                                                                          SHA-512:AFDC0DFD89D0D1F4B1AF21D3124D538AE78D1BAF55D0896C1274285796CD6BFDF5403B50BAD22A857524756B6B87287653167F454E85F00312790F621D7097F4
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0B.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:09 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):53416
                                                                                                                                                                          Entropy (8bit):2.167712376901761
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:plUXCu7D5hktS0ROqQTv5YLcunQvzk7wWJw9Sv9568JqKKdSMC6C5L/hTkv:+D5ISVxTvicJ7k7VMmG
                                                                                                                                                                          MD5:1D86A79280277A54C6853C250D523001
                                                                                                                                                                          SHA1:D09A27CEF99EE5C7584F5E25704605BF10412A8D
                                                                                                                                                                          SHA-256:A9B829645C747D6EAA7E9BD3E9E033DB50448987A095490C889DBC4874D52B76
                                                                                                                                                                          SHA-512:5A9269659B2A17EC979207ED4BB3080C7D2ACF22BEA26A840C6DBC2F15EF4AA9C59F3D4410795E5078F7409178536A2D739950D9953B0490B8792AE3806684DB
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f........................(...........$...........d..../..........`.......8...........T...........................$...........................................................................................eJ..............GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE6.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6338
                                                                                                                                                                          Entropy (8bit):3.72877808087171
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:RSIU6o7wVetbhIuz6SYiKHFXIEpgaMOUwx89bH8sfvNm:R6l7wVeJeuz6SYiaQpBy89bH8sfvNm
                                                                                                                                                                          MD5:7416980FD3995A9E0D667F77E691C350
                                                                                                                                                                          SHA1:AB75A86508CCA327A7C71BC66EAAE49831D4BEFF
                                                                                                                                                                          SHA-256:2432B9A167785D8720C3888BB08CA56438766B3A2B48253D3D012FEF14C0CAF3
                                                                                                                                                                          SHA-512:37A829C0258CF95A0C3A5B34EF968A477E31112F41AF9D998864F1AD460BD790301EA4B8FCE5982A1371A38C0209EABF5DA999FF308D0E94A842EF1398DC2787
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC24.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:09 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):53060
                                                                                                                                                                          Entropy (8bit):2.1797761200135173
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ppcBzXchgiEN1CROWQTv9vDBzpd5lJ4Dxcxj6SnJ2KUz6nNOdastz7zqy:0KgiENhFTv9vDBzzRNznNO/J
                                                                                                                                                                          MD5:161F078770CFB18A8A6F54C9C55BC535
                                                                                                                                                                          SHA1:1BA6EC00D5DBFEDABD348E57B676559F56D259D8
                                                                                                                                                                          SHA-256:6452A7FDEEAB6F4D6C97623CF4511B271AF153C66F64274592B8104A7FE34052
                                                                                                                                                                          SHA-512:0CE49FCB67535AC8E7549B7C7C484DC4DCC62FB57FF24CA9EE1434964060088ABFF9846C2430459A3A7161DC37D7799054C20EAF77763835D07F91AD3628CE89
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f....................................$...............&/..........`.......8...........T...............l.......................................................................................................eJ......<.......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC26.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4609
                                                                                                                                                                          Entropy (8bit):4.4972323764733515
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYJYm8M4JpCFf+q8nnlCJOCTrd:uIjfgI7eq7VhJWmyOCTrd
                                                                                                                                                                          MD5:A27E3D87306EA59CE731FE097BAE3A2E
                                                                                                                                                                          SHA1:65DDDEBF972CF869C149A901FA34D7A5BF89E927
                                                                                                                                                                          SHA-256:75859D091E40B47A3B9ED152D444C9580C046D6ACB1D5D6F8FD073CDF87FF8A7
                                                                                                                                                                          SHA-512:EB749BE6DCE016D1E454CB60731EF2F55944DA57A869D6EDEF64469714778623DF19F96903576FD5487B061274D659155DA330EEBB55B37FEBCF33D545D865FA
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2F.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6338
                                                                                                                                                                          Entropy (8bit):3.727173013868775
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:RSIU6o7wVetbwu360yBYiKHFXIEpgaMOUO89bHRsfjTNm:R6l7wVeJwu360yBYiaQpBO89bHRsfnNm
                                                                                                                                                                          MD5:2000E0ACF553464841BB0528895C086F
                                                                                                                                                                          SHA1:9C2D8761240451A99678E20A71B54618E52874C6
                                                                                                                                                                          SHA-256:C45EE38AA1A64966C905D1ABBFD27A5FEED1D24ED03B9CF8EECE6711C1C4E19A
                                                                                                                                                                          SHA-512:1BE4130BD707EBF3138E06FE372658B7CE1C1D65CB573E9E6F68ED2D4044E61170162D0C650C020E64AA390D346BA7FF89858FA74C7ADF60D256807DC9317988
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.4.0.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1A.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4609
                                                                                                                                                                          Entropy (8bit):4.496123935287047
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYOYm8M4JpCFrJ8+q8nBCJOCTEd:uIjfgI7eq7VGJ7CyOCTEd
                                                                                                                                                                          MD5:E7EBB9EBA7B1BECF8AAEA32383CB40BD
                                                                                                                                                                          SHA1:EFFD0683C80C9C0EDB2E522EF5946234BD07A4EB
                                                                                                                                                                          SHA-256:BDA61335E29A0398816D80D7B9179534ABA8ACF950FD2497175779E64CC7B4AD
                                                                                                                                                                          SHA-512:12AA4A21FABD3E617BDE4BC3773E4388781D741E4E29CE4CC27C7DFB3DBF6A07C34981296A3274F63B4483C8E4FE5CFC32D7A649A3E07C6A714FE5AA43BF3EF9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA06.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:00 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):54784
                                                                                                                                                                          Entropy (8bit):2.2033392464200436
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:8x4j/Xx5viPPLFOqQTvp1ocB2YIEE0YyXWkt6/AMKK20tBqcCGqO4yeOPnU78+9:+6cPMxTvfoMdlXoBqcCJgcX
                                                                                                                                                                          MD5:2A62FA0F61070361E0757F76231A70E0
                                                                                                                                                                          SHA1:9CBF6385A07B32F89B6BA052DFDE721FA586DB4F
                                                                                                                                                                          SHA-256:EF82D01FA986B6152A2FC4029F9FB546B511D66862A819774A59C47621CB1F52
                                                                                                                                                                          SHA-512:C0DF4080A3ECB9D24D85E162BD2F970DED7F85BE9BFB661C4565C41ADF91F5572A36665038874705F9BBBB1463C4E490F5BE4CEE51B8C7F2716B9DBD27B059F2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f....................................$...l...........:0..........`.......8...........T........... ".........................|...............................................................................eJ..............GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAD2.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8368
                                                                                                                                                                          Entropy (8bit):3.7030992198200736
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6T06a6YEIiSUPtgmfDQpBT89bGMsfHnim:R6lXJl6a6YEdSUPtgmfDDGffT
                                                                                                                                                                          MD5:ADF4C4B452BA6B2473B9AEA15B94D265
                                                                                                                                                                          SHA1:C84E0A38CC543D9BD854B82B3A4D1C5FD0EAE347
                                                                                                                                                                          SHA-256:554E782201045347C7D64C29805B5D27EAA6787262987B183BC660B5C06FE0CB
                                                                                                                                                                          SHA-512:ED0C94308641FB7569509DAB72E947358FB852A12786AB7443CFC5135E183A6D1936F717FD8C4DE4AD0F1B25D8AE2627BDEF806814C82DF2C126D17EDCE8D262
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB11.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.486802193146605
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYfYm8M4JZCFey+q8lN5/gC5id:uIjfgI7eq7V7JnysZgC5id
                                                                                                                                                                          MD5:AEDF3578B80F43C16A0D626FEDF023DF
                                                                                                                                                                          SHA1:344BC57C5420EB793FB1DCBE2DA11FCEE37E6E2B
                                                                                                                                                                          SHA-256:68E16AD8AF10F7053F2117A97FED21837A714F35818911B23EDC69BD54D7EB6C
                                                                                                                                                                          SHA-512:D194D1C7D88685232F7D5836027E89699CAAF8055C375BF7E1A01A4016B07E7B70FECF6E1A424353EE56EB36C8849A4A7FD66212856F6EC35E919C61D830278B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF001.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:02 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):66372
                                                                                                                                                                          Entropy (8bit):2.257362810929005
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:7czOYQ9xTvkBCMBzXehrDCV0fqtA71WvRLx:76JwxTvCBbMnD9WvRN
                                                                                                                                                                          MD5:9DB9AA0C7BD060AFF523DDA752247E53
                                                                                                                                                                          SHA1:CA37B49793D93E79B6A275999054E881DF35D725
                                                                                                                                                                          SHA-256:13461BD6B185A86112AC0FFC5FF95909320747D9A8509C7DFB28AE66DA980343
                                                                                                                                                                          SHA-512:092C772437721979384467BF12BA92AC5FC0D97C729F6B7335D3AFC3E96534D178EA901D03B1960F36B3B21683CCADD37DB7E1BA1DA594F84CCD5A849DF73D4E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f........................l...........<...t.......$....4..........`.......8...........T............%..d.......................................................................................................eJ......4.......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF09E.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8368
                                                                                                                                                                          Entropy (8bit):3.7023583407877196
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6TM6ML6YEIhSU8YgmfDQpBG89bUMsfa8m:R6lXJN6Q6YEuSU8YgmfDIUffw
                                                                                                                                                                          MD5:F0EAF54A50CF89F65715106EBB41F548
                                                                                                                                                                          SHA1:21F49AD0BFAD44DF86176A8170A93021A41940DF
                                                                                                                                                                          SHA-256:20527BE7252A759B9FABBCF004ACAACB163987B073EF96FAC66BF1F4D052DFD6
                                                                                                                                                                          SHA-512:23B43E1C1CEB75A011DB91A2BC434E6C0852009950DF0BC9B1FA17C7D8954DB8932FC6BDA0F8AC74205E21BB3A4C4EB3CC69DA5CBFEC1BA7EF9F75F4D63092D2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0CE.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.4865986574404095
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYgEYm8M4JZCFX+q8lN5/gC5id:uIjfgI7eq7VpxJWsZgC5id
                                                                                                                                                                          MD5:1E2FC67CB358A783C10193AA75BC8FDF
                                                                                                                                                                          SHA1:571AA7830DDFAC063C5C2607D7D321E9D6A2AF51
                                                                                                                                                                          SHA-256:51E00A064D90C1621765DB76AD7954BBB33BEF745F47DD7D6FD9C101FBFF368E
                                                                                                                                                                          SHA-512:E9162B11CAA4EB671E1359AAC6005E605F6125CCDCA2CB9D15836ECFB6AC99CBC29D6380A0441CD0FEABAF54E4DB9B832B135E2D603C8E7D4EB368859C7916ED
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF291.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:03 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):72644
                                                                                                                                                                          Entropy (8bit):2.2040332478892557
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:IFptPRWPJ0eMxTveQ+OzgxdSCVSliYq17NCTFXLgmb:IFpRWJ0/xTvQOsxdS1iUTFbb
                                                                                                                                                                          MD5:D4A0B4353F41CCBD6BCEB85B59CE63C1
                                                                                                                                                                          SHA1:8263C705B220FFE4848B7AC47EFD848BFE2BAA63
                                                                                                                                                                          SHA-256:EDC5E10E17924345A227477268269E7728D048064BBDEADAE56C780F5B9CC608
                                                                                                                                                                          SHA-512:EF7E06E11B804AA6D383CAC78B501542208FA98B1E54E07708C7A4F76BC6226185A43E674B655255520AA3810CD3DDF582CC9D701F3A14178F9CBB89CE93B365
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f............$...............8.......<................8..........`.......8...........T............&..............L...........8...............................................................................eJ..............GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF30F.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8368
                                                                                                                                                                          Entropy (8bit):3.7037786095298855
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6Ti6hbM16YEIfSUl5gmfDQpBP89bdMsfU/m:R6lXJD6hb26YEASUl5gmfDndffB
                                                                                                                                                                          MD5:F51C6515D36832C3C87EC21F70C0982B
                                                                                                                                                                          SHA1:ACCCF0FF7F732C1EC8027A95CD897E1254911DE7
                                                                                                                                                                          SHA-256:D741CD672DCD8F5FE0DD216F96E1182E62E9F878632FC2D1E4B3D566FE9F4F48
                                                                                                                                                                          SHA-512:DD19C639FE4CFF8A2213CDF46C0A7BF7103C41F7C2E07F13FA19B73FAE7A4EF1ECC9EDEF41349CC80C9329819002B22CCD7436D788EE88BC5BC53562EF844156
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF34F.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.486177998777661
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYkYm8M4JZCFH+q8lN5/gC5id:uIjfgI7eq7VQJKsZgC5id
                                                                                                                                                                          MD5:27F75E889660803F3578E9C45F0332AF
                                                                                                                                                                          SHA1:55090C657BA80C3CA03167BE97DD51D64B595563
                                                                                                                                                                          SHA-256:98E363C0AFBA43426C871A4355CA7E013BB21493893C734124215A55BB6008CF
                                                                                                                                                                          SHA-512:C93431A9B7774BD4BF1F7EBF2962C52D64E835C20277FADA0E2DEB423A65625FEE08636E395A7D85AC770BC35E41E153AFA568472CAED477B657436DBE56A343
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF63B.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:03 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):77438
                                                                                                                                                                          Entropy (8bit):2.113779226603595
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:Sf+TYhixTv6OUzVMWNISbVL/qFqWcIp5:SQGixTvdUhMqIShkcIn
                                                                                                                                                                          MD5:E17ACEEB5A8F46D0E42CAA0FC8EA9D21
                                                                                                                                                                          SHA1:950B7D64D196FF5C087B539935AB43FEEBC385C0
                                                                                                                                                                          SHA-256:3F9DAEF037EBCF076F0B4F05B8A1FAEA6F988CA2C324839F4255A83C5C11049F
                                                                                                                                                                          SHA-512:ABAA71F487B0E06D3BFAF88D92D934996026DB156917FF6189AC0D0589322B55B96ACB06DDDE6327E271460C583E2329B97373C79387A97E0C8C752693E30D3C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f............T...............h.......<................<..........`.......8...........T........... '..^.......................................................................................................eJ......D ......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6B9.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8368
                                                                                                                                                                          Entropy (8bit):3.703390625205543
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6T66d6YEILSUZZgmfDQpBOx89biMsfJiWm:R6lXJL6d6YEkSUZZgmfDmiffg
                                                                                                                                                                          MD5:51ED724548065F967CBED7D71F790CDA
                                                                                                                                                                          SHA1:B7DAD2126E1A0276805C3EC0732DDC2842AAFF53
                                                                                                                                                                          SHA-256:05D41B4F78300842245AE0AB2236FB9E74F18119AB4D2B8C585C1FCDD8CDFBD9
                                                                                                                                                                          SHA-512:AD5E0D238A4A8E6A99EFB04007B90CC7463879E13ABEFAAC2D20E0A76D5CB231E2B18B2876C4B5D6BC1E29A663681E9963FA1BFDBD50ABB63138F1383649AB6E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF746.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.489551676158721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYfYm8M4JZCFYZ+q8lN5/gC5id:uIjfgI7eq7VjJFsZgC5id
                                                                                                                                                                          MD5:D1FB93223B49F19541149006CABFA611
                                                                                                                                                                          SHA1:E0285D75BE619077FF96A1535EECD933BDF9B7E6
                                                                                                                                                                          SHA-256:EFD060DBE65857591D1DFEFAC35B0A571E88002F4743367539A7C81A164772D4
                                                                                                                                                                          SHA-512:6913E7E00DD1A3FAF29C310C06F0F73E5002B7F80F2D1AEA127BF55FEED8FF8DFEEF32026279FE8F98A2FCEEADD9870BA5E09759B3685D8670E166B2E8E629D5
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF948.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:04 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):91084
                                                                                                                                                                          Entropy (8bit):2.2394042136108716
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:Zvf4oSxTvwpmju5ebzl0bVXrpIHwPOFAqhW7hJ0P09DhuBoK07W:ZXRSxTvwpmj1bB0VCwPOFsJ0P09dTKv
                                                                                                                                                                          MD5:FE74488E5688F727868415DECD66C39D
                                                                                                                                                                          SHA1:BD63A366A047CCF7C49AF76CECE277299B553762
                                                                                                                                                                          SHA-256:FFC3D517F1BEA69B6CDB71838355F969F00131DB9D93BC4A447EE7AFD12D9B4B
                                                                                                                                                                          SHA-512:90024EBB90FA891E1914A288B3AA977C157C708D9B9E690B82580C91EE48B460123CFF75FA8DADA7E3AAA68253F8E66CA7A6997AD33ED605BCEFFE5BA9B8E873
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f....................................<................?..........`.......8...........T............-...6......................................................................................................eJ......t ......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F5.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8368
                                                                                                                                                                          Entropy (8bit):3.700099758812172
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6T36h0e6YEIISUZZgmfDQpBT89biMsffAWm:R6lXJ26r6YEHSUZZgmfDTiffA
                                                                                                                                                                          MD5:D48A5D5AE472B86A8845EDDAC15C2C46
                                                                                                                                                                          SHA1:DB37BD45063F22BF567AFA995595381D717AD453
                                                                                                                                                                          SHA-256:0543AE039E43605EF28BCCAE82893DD646C339D3F8395965DFD0582395BD4520
                                                                                                                                                                          SHA-512:BF9E74963759A73B94CA397580306BF71BD9DB53708B5109C1810D22F87F5820F7F272D8654624703131FD4298F7DD2422D37D7B67F028F44E4062D750071FE0
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA53.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.489099847973439
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VYrJM0Ym8M4JZCFB+q8lN5/gC5id:uIjfgI7eq7VyMBJIsZgC5id
                                                                                                                                                                          MD5:140FC9EE61250160F05F575F1A0C56F5
                                                                                                                                                                          SHA1:43604F1D09F059EA1A63353BF211F81542D0247D
                                                                                                                                                                          SHA-256:6AAFB4A09C4C41E6BCD968278484F6500FB15695CA2CDCD481198C76AFAC8C4A
                                                                                                                                                                          SHA-512:DDFCA0C1C89BF401591F8F7877CCECEE37C4FBE18F0BDB88189A85E900485E35338EE8AB860454816C57FC38C203EDAC83DCBE361349CBD12AA8EED8A75EB44E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD7E.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Fri Apr 19 05:32:06 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):101920
                                                                                                                                                                          Entropy (8bit):2.226513122666629
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:XDKYEGVmxTv6B1uJljoz36XWO5yXgg4W0bVs8q3+0YUD2Lv8oEc11SBMfU3mUjjk:XbtmxTvKYJljo75Qg4W0KWUDEjUv7H3
                                                                                                                                                                          MD5:132E969C54CF3B041B6E65B622E562EB
                                                                                                                                                                          SHA1:9217EA3FA9D2645BBC76612E590BE809978F3A3C
                                                                                                                                                                          SHA-256:EA8A492C13254AA1F09A1E0551EBD0ECE147DED1EEEB3826184469F19FDE22D1
                                                                                                                                                                          SHA-512:16E2FFED158D9C95A57702E683EFC81BE338AE379F9D90BA6A59DCD9B101396A338CC768BF94C91A7EFD5EDD60A3674FFF5E8C28DC7F4BC006D15A1860BB89B4
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... ........."f....................................<.... ..........fF..........`.......8...........T............7...V...........!...........#..............................................................................eJ.......#......GenuineIntel............T............."f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEC7.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8370
                                                                                                                                                                          Entropy (8bit):3.701360975659398
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJ6TjB64R6YEIYkSUOiRgmfDQpBa89bwMsfGwm:R6lXJoB6O6YEtkSUOiRgmfD0wffo
                                                                                                                                                                          MD5:47BDD7D66D25C7421BCA5283F6CD113C
                                                                                                                                                                          SHA1:C4338DDD60BDF00C949A7030FE5C8CE1569AC6EA
                                                                                                                                                                          SHA-256:1441F974A8137895908FFEB29B04B470A88E4A0B7C74F56929AFDEA63877D50D
                                                                                                                                                                          SHA-512:D9573A273123FA2EDC0415F6881729788A4B7A66238F043C6B779E6F313C4CA41E2833D56D6B8D1DE272C88D512E019D1D54D1357ABFD05B39B24ACFE54C0C41
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.4.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEE7.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4619
                                                                                                                                                                          Entropy (8bit):4.484702722437543
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsSJg77aI9QbWpW8VY9Ym8M4JZCFm+q8lN5/gC5id:uIjfgI7eq7V9JDsZgC5id
                                                                                                                                                                          MD5:DCBC0849D2DB8174671C2A39E4E94201
                                                                                                                                                                          SHA1:F223088A0FA37DF72E7B5E15D2AB46BE6EB1185B
                                                                                                                                                                          SHA-256:9B55E8E614E6B46FD551F43C55B9C02CB4A682F9773B549C82304C975A3BF279
                                                                                                                                                                          SHA-512:EC52F7EAED92569DDB130AA0779C6401D882DF222A4193E0B9A53E30F5D8BE0FC7A3F843C76723AA6C2A153FA15BC0EE2170E0662572546EE994ABB2AA86632A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):936960
                                                                                                                                                                          Entropy (8bit):7.521887431067791
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12288:tQEfkgrq80neiZWArK6ye6wxM9b8QraUO3dVwJ3rvcWZK6YFdFzlEh6pN1PuuQvp:mQkg280uArzD6o4I8OeDpMNEBt
                                                                                                                                                                          MD5:360F5B40A6CBC8F99639D6989A3FD0AC
                                                                                                                                                                          SHA1:1709413509C4DEDF9E0452D818A5991C0740CA86
                                                                                                                                                                          SHA-256:09C9E09EF1371E9BC9292ABCE47D8BD0FDAE9CB9FECC42CCFD51F983F43E2BDF
                                                                                                                                                                          SHA-512:A2B273EC5AD9555255F0437388DDEA538290C8F4E0A3DC3FCC058C1D28E5BB45C4FECF1A44C644C8A2D87659305EAB7036432C31906CF6F707A1D77B9A82B75F
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                                          • Antivirus: Virustotal, Detection: 51%, Browse
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]..R]..R]..RC.,RL..RC.:R?..RC.=Rw..Rza.RX..R]..R/..RC.3R\..RC.-R\..RC.(R\..RRich]..R........PE..L...,`4e.....................$......V.............@.................................L...........................................<....`..................................................................@............................................text...}........................... ..`.rdata..Nf.......h..................@..@.data.....~..0......................@....tls.........P.......0..............@....rsrc........`.......:..............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\9EaqYGrOoLZGqTHtmnARfPr.zip

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2939
                                                                                                                                                                          Entropy (8bit):7.734264741450952
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:9+aRL8DZIDipn14JShzpWsnt5BGvvqRDCTlzfWYqwC+FYhSQFjysdqr1APn3KJ6X:58DlOe9/tsqRDC8mmYQF+sYr1AP3KJ+
                                                                                                                                                                          MD5:19EF12E7C45B531108859C4F12800EB6
                                                                                                                                                                          SHA1:3B9F7B1372D776D3B4010FC788BFC52D09385FB0
                                                                                                                                                                          SHA-256:BEA5A43EE9F3D1FAE5336A45362890062AF6B11C74C79393DB71BD8717B37437
                                                                                                                                                                          SHA-512:683FC4B7CCE32428496A0CD9416CE1CDC442556FFAF8511B56F7942DA77F39A8DDAE0D0A76842779BF1B2F19283C890DE27B77144B9452C48BF8C601817EB1AA
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Yara Hits:
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\9EaqYGrOoLZGqTHtmnARfPr.zip, Author: Joe Security
                                                                                                                                                                          Preview:PK........#<.X................Cookies\..PK........#<.X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK........#<.X.co/............information.txt.Ymo.8..n....~I..wI.t..6i....m...h[.,.$9qw...(...U..A.k8.>3...%..4..;..y..].e.gCD.....>.J..."A.].H..?dt.}D1..6I./?.Q...K.."_...).,.x9......e.e..iQ.....|..@.H...z.D$..Xj.2..d..{.......@.....K.V.*.EK.`..j.SUm.h<.]..[.....v..u.{....J..dJ.y.........}H..g`...[..K.|./..}z_....r:D.....'h.W.Q.H.f.@.*UYe........WI...C40.'Y.?.Ct...F."G7.......n_..}U[.. .d....../...-.F..|\n...%..U?...t. !4..b.......{..!..`|..}.?..*.....<[.I.A'.,.t..$.:..../....h..H.......

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Aso5djWiC8bybG6teNs2YR5.zip

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                          Category:modified
                                                                                                                                                                          Size (bytes):2934
                                                                                                                                                                          Entropy (8bit):7.736498266975165
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:9GSa+L8DZIjM9IgTw4sEGGr0u/4w0iEhV2wbOhSQF5QjOE2e8n3KJ6GakPOKA+w:V8DhbTw4sEGGr93JIkwSYQF5Re83KJW
                                                                                                                                                                          MD5:0009B74DDB289F289B7D141E80B14080
                                                                                                                                                                          SHA1:212C0541E3E57531ED0ACB67A5A055C82537398C
                                                                                                                                                                          SHA-256:032A3B4EF84BA8BDAF1E0DD21857BCD86EE26944562870032AEC363F43D83D3B
                                                                                                                                                                          SHA-512:DCD7EEC2C82C36395E5653E03EA50568F646869473F9B0629337ACC1A3758F8B431D6A905CFD54F21689A04704E484837EB25AD0F9DC9C2AE4AB7CED0BA0BBF2
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Yara Hits:
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\Aso5djWiC8bybG6teNs2YR5.zip, Author: Joe Security
                                                                                                                                                                          Preview:PK.........<.X................Cookies\..PK.........<.X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK.........<.X...D............information.txt.Y.n.F.}...X./6Z1{'.........6v.V.J&L.*I.r..{.K.e.1......33...4..[..y..M.e.gCD......J.."A.m.H..?dtH.....DE7I....Q...K.."_...).,.x9......e.e..qQ.....|..@.H...z.D$..Xj.2.P......Z[i.Q ...J.T+L...%...T5..n.h<.^..k...~...*.^.4.O..(....~.2/n...pw..[...G*.....Z..R......z.\.>.|:D........wT6t../hT.*.....St4.U.*I..x....$...r... .....^...q...*]./jc.........z...........p......].2Ow..B..'&QO.U..............*.....4[.Iy...YR..}J.u.o....5.H.<.A....W3.

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\CaUaqkY92GovL9TcuRMGkgg.zip

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2937
                                                                                                                                                                          Entropy (8bit):7.728920916320867
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:9VaOL8DZIFH48iW8+4U1tBnOkH7IqV+llqPu3uVEuttn3KJ6VkfOk8w:V8DY48iW8+JtnOtqsPqPuORtt3KJB
                                                                                                                                                                          MD5:E0DC61713A50BCC6F98C883F339FC980
                                                                                                                                                                          SHA1:C3357C8BCE7607C4A49751D82EF1A2B905036804
                                                                                                                                                                          SHA-256:268635F007D976BBEAB30D05E5F97ED5DCF367EAA4A9483740E066D7F88A8789
                                                                                                                                                                          SHA-512:88B632F573E406EAE58F5A2C0922F494AE2DCE95DC435A89642FC9E01E8525B0A1F9C74497118438AFA3AD79BFDFB50C960C34321E683E296212A70C29CC93FA
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Yara Hits:
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\CaUaqkY92GovL9TcuRMGkgg.zip, Author: Joe Security
                                                                                                                                                                          Preview:PK........ <.X................Cookies\..PK........ <.X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK........ <.X...............information.txt.Y.o.H.~G..h.^.....y:.d..,3(..f.{h.X16k.......n.=REQ$.......>.%i<D.:..~...$..xa...}T...OE.F....a...sD1...L_}..P...:.D.T..S<XF.r .&d.....~.bQ.._1....$..... .H0...re.C.....ojm...F..+.(M.R.0U,..,..R.8.......nZ..Bm.nu7.^L/.#..<....M^<..Ia.....N..<+.F...{...n.7.;..K..~q..z;.qq..>.j:D.....'h.W.l.....Q...2........WI...C40.'Y.?.Ct...F.5..K..~o.o..J.....A ..no.]..........a..n..T.D...].....I....*[...l..`|..}.?..*.....<[.Iy.N.YR..}I.u.oN._.5.H.<.A..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\M3KUyMMJ1wTzBxomWRvBAGK.zip

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2924
                                                                                                                                                                          Entropy (8bit):7.73971239698968
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:9WIaWzL8DZIZWHFrUmzfOEQ3CcNYsuUFzKgKQWTYnA6kVK/On3KJ6WAkWaOWbU6w:98Dd53zfODNYsn0UVO423KJg
                                                                                                                                                                          MD5:704B1E103EAE71021F04275960C093ED
                                                                                                                                                                          SHA1:968D2CF61ACB2427FB1C161132C87FEEA2871062
                                                                                                                                                                          SHA-256:2F3A95BD9674A04459EF26A98461E3633071215A4DE052DF01248658365773B6
                                                                                                                                                                          SHA-512:EF096847AE9E67A7B61D6C01C5276A1C8A84C49B3455A03F1DA8827A8D51D9AA0068F10A23F8493E49600D3185371A237BC2EF4925BD648C81A82D609E1BF452
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Yara Hits:
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\M3KUyMMJ1wTzBxomWRvBAGK.zip, Author: Joe Security
                                                                                                                                                                          Preview:PK.........<.X................Cookies\..PK.........<.X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK.........<.X;`F.............information.txt.Y[o..~7..@`_...(?m.M....f..>.....%.$'....~(.N.P.&..X...oft9.Y2D.&).~.).....Q.......e..6%"....!.b.{c....z?D.!\.L4.C..<.x....@0L.B....~.....f,....Ib= .....(,.\..H...{.7..6<.b%..+m.B.%....)..t.s...!...&e.*....w....%a..G`v..)...>-.......lY....f.6.Q.:.....N'..|.w#..&..4.]M.H........{...n>..:.3...._W.tr...e.e......i..O.... ..E.nw.....f[..}.k.z..T...|......|bU.......SZm2..]...-.B.......?t....h.....d./.]&.+..E........6....X..w?]j...Y.".;..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe5tQMZAayLr2i\Cookies\Chrome_Default.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):530
                                                                                                                                                                          Entropy (8bit):5.999391385907715
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                                                                                                                                                          MD5:06ED2CD304730F55A5C7001509E128BE
                                                                                                                                                                          SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                                                                                                                                                          SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                                                                                                                                                          SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe5tQMZAayLr2i\information.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7556
                                                                                                                                                                          Entropy (8bit):5.505835648079829
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:xpSr7JnBZRhRc2KBhA6tsxODsKe8QL66I15rNANUbg3x:xSHRX6tsxPKuL7B
                                                                                                                                                                          MD5:01E9F492D4A116A01DE1ECA8AC424F3C
                                                                                                                                                                          SHA1:D9F33DB9F9DF6C40C669D030C8F0B8017525F5F8
                                                                                                                                                                          SHA-256:520680BFAA191AE241BCFC0212FC92722D53C9B564C22DF8E39F5D3ED7904EC1
                                                                                                                                                                          SHA-512:E00B8D7A4464D331D6ABA2AF80E246B307427D590D028E3A3578D0CC69A27264847AE176E4A9BD13973F9B6E79F6D574798B5DB1173B749B0636EA8FF0042067
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Build: kedro..Version: 1.9....Date: Fri Apr 19 07:32:21 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: ae479c866f08ae2b6af02a3ccb3807ba....Path: C:\Users\user\Desktop\s2dwlCsA95.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobe5tQMZAayLr2i....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 888683 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 19/4/2024 7:32:21..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.exe [7

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe5tQMZAayLr2i\passwords.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                          Entropy (8bit):2.518316437186352
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe8JCb_VPvrS5h\Cookies\Chrome_Default.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):530
                                                                                                                                                                          Entropy (8bit):5.999391385907715
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                                                                                                                                                          MD5:06ED2CD304730F55A5C7001509E128BE
                                                                                                                                                                          SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                                                                                                                                                          SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                                                                                                                                                          SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe8JCb_VPvrS5h\information.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7590
                                                                                                                                                                          Entropy (8bit):5.510050592515684
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:xpir7VZRh5Lc2KBhA6tsxODsKe8QL66I1bDRANUbg3x:x+H5LX6tsxPKuL46B
                                                                                                                                                                          MD5:BE63F3D7513444CD569D191B0DB0A52F
                                                                                                                                                                          SHA1:909BCFE7F67F9020554688755DAA530B6E712B88
                                                                                                                                                                          SHA-256:03B315DB531331A32DEA1855128E35DF4FA37B119C906BF994EA2DE8A0E1C2CE
                                                                                                                                                                          SHA-512:C6A4B9BC1902B79532778DD4F8371616505D05670CBAAFFE5A23E0EEE58E2F03EF851CBC1B522E093D7928D3232B48F1849317386D147CE065089CDB3CDE245C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Build: kedro..Version: 1.9....Date: Fri Apr 19 07:32:47 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: ae479c866f08ae2b6af02a3ccb3807ba....Path: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobe8JCb_VPvrS5h....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 888683 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 19/4/2024 7:32:47..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fon

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe8JCb_VPvrS5h\passwords.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                          Entropy (8bit):2.518316437186352
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeUVGGzgpMYGEJ\Cookies\Chrome_Default.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):530
                                                                                                                                                                          Entropy (8bit):5.999391385907715
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                                                                                                                                                          MD5:06ED2CD304730F55A5C7001509E128BE
                                                                                                                                                                          SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                                                                                                                                                          SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                                                                                                                                                          SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeUVGGzgpMYGEJ\information.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7552
                                                                                                                                                                          Entropy (8bit):5.5087218331468195
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:xpfr7QZRhCc2KBhA6tsxODsKe8QL66I1bnANUbg3x:xmHCX6tsxPKuLXB
                                                                                                                                                                          MD5:77D2023E6A3958817521F96254DF23A4
                                                                                                                                                                          SHA1:6887EFBB4E85F2DDE8734A1105BAA8C6F5B3E3D3
                                                                                                                                                                          SHA-256:FEBB7C02DD0EE007269D5A33DD98C0681A737757B493FC645A35930E141EC73A
                                                                                                                                                                          SHA-512:9B8F6301964B5BC1AA85ECE5E46E45DFC282F1BB90992292548E0D15431F38A6C15FF266D8433DACE3EF3AC9C46B9A56DCFFE50FB839AD9DA4ACE8E1F7A84F16
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Build: kedro..Version: 1.9....Date: Fri Apr 19 07:32:44 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: ae479c866f08ae2b6af02a3ccb3807ba....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobeUVGGzgpMYGEJ....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 888683 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 19/4/2024 7:32:44..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.exe [788

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeUVGGzgpMYGEJ\passwords.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                          Entropy (8bit):2.518316437186352
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeYzp6h16udgt1\Cookies\Chrome_Default.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):530
                                                                                                                                                                          Entropy (8bit):5.999391385907715
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                                                                                                                                                          MD5:06ED2CD304730F55A5C7001509E128BE
                                                                                                                                                                          SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                                                                                                                                                          SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                                                                                                                                                          SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeYzp6h16udgt1\information.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7554
                                                                                                                                                                          Entropy (8bit):5.506160866375042
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:xprr7jZRhWc2KBhA6tsxODsKe8QL66I1bAqANUbg3x:x/HWX6tsxPKuLVfB
                                                                                                                                                                          MD5:9386CBA32ED59767727EDC610551E387
                                                                                                                                                                          SHA1:BEDB0F21AF511B8209BDB71C4F575CFBB6CA8621
                                                                                                                                                                          SHA-256:A4384F1CF49097DF9D81313FCA52759B85B56E7B43A12949A02D2CAD92E58BD3
                                                                                                                                                                          SHA-512:B49B0F5A1305505550CF13050F6BED5784515B6653C2660DD203CE0756CCDBA9F1BC752BE140291C154106FF3D8D45B5435073ABC650BCB3B81FF6BADE38BE7C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Build: kedro..Version: 1.9....Date: Fri Apr 19 07:32:40 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: ae479c866f08ae2b6af02a3ccb3807ba....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobeYzp6h16udgt1....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 888683 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 19/4/2024 7:32:40..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.exe [788

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeYzp6h16udgt1\passwords.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                          Entropy (8bit):2.518316437186352
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):98304
                                                                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\3Yv_KHN5L6xjHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                          Entropy (8bit):0.5394293526345721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                          Entropy (8bit):0.03859996294213402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\6X2eEkf_7MRKWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\ARK9jcv46EtQWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\CoMQhAavqDqMWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                          Entropy (8bit):0.03859996294213402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\E01jwUaE5KqzCookies

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                          Entropy (8bit):0.8439810553697228
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                          MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                          SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                          SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                          SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\FE57sfjjIQcyWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\JOXEe2Lpf_0zWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\MGlBYh8v4VVgHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                          Entropy (8bit):0.5394293526345721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\NiNaJ8S8mz0BWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\UGKLJgs1VmxYHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):155648
                                                                                                                                                                          Entropy (8bit):0.5407252242845243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\WM_xRkvgBtDSHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):155648
                                                                                                                                                                          Entropy (8bit):0.5407252242845243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\YVR3M2BYNCNXLogin Data For Account

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\bxBCgEVQur0KCookies

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                          Entropy (8bit):0.6732424250451717
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\lR6vVi8Nh9dvLogin Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi5tQMZAayLr2i\vvS5LNULl6RXLogin Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):51200
                                                                                                                                                                          Entropy (8bit):0.8746135976761988
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):98304
                                                                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\1ZhbvlEvlloOHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                          Entropy (8bit):0.5394293526345721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\2nfAU_RJIGwEHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):155648
                                                                                                                                                                          Entropy (8bit):0.5407252242845243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\3SFrnxRyWWdrCookies

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                          Entropy (8bit):0.8439810553697228
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                          MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                          SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                          SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                          SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                          Entropy (8bit):0.03859996294213402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\AwY3wK8EalbzWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\BrSg8aBcmS6GLogin Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                          Entropy (8bit):0.03859996294213402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\EHdOalxIBfLRHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):155648
                                                                                                                                                                          Entropy (8bit):0.5407252242845243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\HLP2yyczuyZDLogin Data For Account

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\MNcPl1UE6oiiWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\UpvrdI6Wo3v2Cookies

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                          Entropy (8bit):0.6732424250451717
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\b7Aqu4tZuQD5History

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                          Entropy (8bit):0.5394293526345721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\ffbERgjR2VedWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\fxUO2AT7_b9NWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\kfF3SxorO0TnWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\nONciQGcVv0jLogin Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):51200
                                                                                                                                                                          Entropy (8bit):0.8746135976761988
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi8JCb_VPvrS5h\xC4yzTeoaKfcWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):98304
                                                                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                          Entropy (8bit):0.03859996294213402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\3faqGhkRMBTjHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                          Entropy (8bit):0.5394293526345721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\4xnFiyChicziHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                          Entropy (8bit):0.5394293526345721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                          Entropy (8bit):0.03859996294213402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\DMfAPIX7W9tlWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\GDzzp2xjyp3xHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):155648
                                                                                                                                                                          Entropy (8bit):0.5407252242845243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\H4OxCvbsuTmXLogin Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\JOrVCJO0eOimWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\LqChuQc4ErSaLogin Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):51200
                                                                                                                                                                          Entropy (8bit):0.8746135976761988
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\OPXg3z9x1EIMLogin Data For Account

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\OelzQluwlGH7History

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):155648
                                                                                                                                                                          Entropy (8bit):0.5407252242845243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\WUs5NEfeTXcAWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\YujJUqZdR_T2Cookies

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                          Entropy (8bit):0.6732424250451717
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\pV4KHKYs8VJrWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\skL8eKrjoSpfWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\t2S8Y46M8CjnWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiUVGGzgpMYGEJ\tjTgeGuVhPAsCookies

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                          Entropy (8bit):0.8439810553697228
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                          MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                          SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                          SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                          SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):98304
                                                                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\0s92xVxIA0FEHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                          Entropy (8bit):0.5394293526345721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                          Entropy (8bit):0.03859996294213402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\6ntuo9ge9uJPHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                          Entropy (8bit):0.5394293526345721
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\Bxl5fQmK9LbKLogin Data For Account

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                          Entropy (8bit):0.03859996294213402
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\QiQsD07Z5ThfWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\ZWaqi3u9km_kHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):155648
                                                                                                                                                                          Entropy (8bit):0.5407252242845243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\ZZe_lFf_z46tLogin Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\c9cMZIR1vMurCookies

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                          Entropy (8bit):0.6732424250451717
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\eVs77w9JQb7tWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\iLf0wCBweGxDWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\jlhBI5sEi3CNWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):196608
                                                                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\mBeF6fjmagbuWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\nDoSnovqBPl9Cookies

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                          Entropy (8bit):0.8439810553697228
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                          MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                          SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                          SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                          SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\qWLSFxkgVRGKWeb Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\qgREuUdK7z4uHistory

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):155648
                                                                                                                                                                          Entropy (8bit):0.5407252242845243
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiYzp6h16udgt1\u0mEFv0CB7P7Login Data

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):51200
                                                                                                                                                                          Entropy (8bit):0.8746135976761988
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):13
                                                                                                                                                                          Entropy (8bit):2.469670487371862
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:LGH:6H
                                                                                                                                                                          MD5:C088DF7C7B2E3EB0D351DF9E906F3F53
                                                                                                                                                                          SHA1:ACB2D2C4C2DA96D1FAC78D42FB3958F3E6349D15
                                                                                                                                                                          SHA-256:49F058165AB383D200305158F9D65D97BBFD78CBAFB13D34B4ABD2A9F922A4FF
                                                                                                                                                                          SHA-512:9720BAEF2BEB647D015CA74DB9F9F48194E781E14B8BC324DC683BD73605E567DEEB19702504BCCB0DBEFB4636C4F6787CFF31AF9365B0D3045D0F5F881D3D5B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:1713508855057

                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1835008
                                                                                                                                                                          Entropy (8bit):4.424212486020275
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:6Svfpi6ceLP/9skLmb0OTnWSPHaJG8nAgeMZMMhA2fX4WABlEnN10uhiTw:pvloTnW+EZMM6DFyz03w
                                                                                                                                                                          MD5:8E9D9540481C298CD460B421BDC13362
                                                                                                                                                                          SHA1:894077BC93D501FC1940A32C12A1CB6D8D9531BF
                                                                                                                                                                          SHA-256:7137EE9B6318367C077F9B5D8155F8070F9BB2AFD4580A1316175CA9D2AAD4B3
                                                                                                                                                                          SHA-512:F30E9A9AFDCBFBE7A380F45EEBF0F87E6A67A187F9533CD24FC8176BEC527889CA43829172056B2B5137D8E56F3F4123E868FAA641757BFD63F52F9C29D8904C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm&.0...................................................................................................................................................................................................................................................................................................................................................&.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Entropy (8bit):7.521887431067791
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:s2dwlCsA95.exe
                                                                                                                                                                          File size:936'960 bytes
                                                                                                                                                                          MD5:360f5b40a6cbc8f99639d6989a3fd0ac
                                                                                                                                                                          SHA1:1709413509c4dedf9e0452d818a5991c0740ca86
                                                                                                                                                                          SHA256:09c9e09ef1371e9bc9292abce47d8bd0fdae9cb9fecc42ccfd51f983f43e2bdf
                                                                                                                                                                          SHA512:a2b273ec5ad9555255f0437388ddea538290c8f4e0a3dc3fcc058c1d28e5bb45c4fecf1a44c644c8a2d87659305eab7036432c31906cf6f707a1d77b9a82b75f
                                                                                                                                                                          SSDEEP:12288:tQEfkgrq80neiZWArK6ye6wxM9b8QraUO3dVwJ3rvcWZK6YFdFzlEh6pN1PuuQvp:mQkg280uArzD6o4I8OeDpMNEBt
                                                                                                                                                                          TLSH:1A1512113270FC76DDA707B28A29C5B82A3F7F690371C15E36943AAF5A336D19232749
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]..R]..R]..RC.,RL..RC.:R?..RC.=Rw..Rza.RX..R]..R/..RC.3R\..RC.-R\..RC.(R\..RRich]..R........PE..L...,`4e...................

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:6727676743571667

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x401656
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x6534602C [Sat Oct 21 23:35:08 2023 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:5
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:8c4ed3f8ed342192f39cb3177db23743

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          call 00007FA36C8D2C77h
                                                                                                                                                                          jmp 00007FA36C8CF07Dh
                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                          test ecx, 00000003h
                                                                                                                                                                          je 00007FA36C8CF226h
                                                                                                                                                                          mov al, byte ptr [ecx]
                                                                                                                                                                          add ecx, 01h
                                                                                                                                                                          test al, al
                                                                                                                                                                          je 00007FA36C8CF250h
                                                                                                                                                                          test ecx, 00000003h
                                                                                                                                                                          jne 00007FA36C8CF1F1h
                                                                                                                                                                          add eax, 00000000h
                                                                                                                                                                          lea esp, dword ptr [esp+00000000h]
                                                                                                                                                                          lea esp, dword ptr [esp+00000000h]
                                                                                                                                                                          mov eax, dword ptr [ecx]
                                                                                                                                                                          mov edx, 7EFEFEFFh
                                                                                                                                                                          add edx, eax
                                                                                                                                                                          xor eax, FFFFFFFFh
                                                                                                                                                                          xor eax, edx
                                                                                                                                                                          add ecx, 04h
                                                                                                                                                                          test eax, 81010100h
                                                                                                                                                                          je 00007FA36C8CF1EAh
                                                                                                                                                                          mov eax, dword ptr [ecx-04h]
                                                                                                                                                                          test al, al
                                                                                                                                                                          je 00007FA36C8CF234h
                                                                                                                                                                          test ah, ah
                                                                                                                                                                          je 00007FA36C8CF226h
                                                                                                                                                                          test eax, 00FF0000h
                                                                                                                                                                          je 00007FA36C8CF215h
                                                                                                                                                                          test eax, FF000000h
                                                                                                                                                                          je 00007FA36C8CF204h
                                                                                                                                                                          jmp 00007FA36C8CF1CFh
                                                                                                                                                                          lea eax, dword ptr [ecx-01h]
                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                          sub eax, ecx
                                                                                                                                                                          ret
                                                                                                                                                                          lea eax, dword ptr [ecx-02h]
                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                          sub eax, ecx
                                                                                                                                                                          ret
                                                                                                                                                                          lea eax, dword ptr [ecx-03h]
                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                          sub eax, ecx
                                                                                                                                                                          ret
                                                                                                                                                                          lea eax, dword ptr [ecx-04h]
                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                          sub eax, ecx
                                                                                                                                                                          ret
                                                                                                                                                                          mov edi, edi
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          sub esp, 20h
                                                                                                                                                                          mov eax, dword ptr [ebp+08h]
                                                                                                                                                                          push esi
                                                                                                                                                                          push edi
                                                                                                                                                                          push 00000008h
                                                                                                                                                                          pop ecx
                                                                                                                                                                          mov esi, 0040C20Ch
                                                                                                                                                                          lea edi, dword ptr [ebp-20h]
                                                                                                                                                                          rep movsd
                                                                                                                                                                          mov dword ptr [ebp-08h], eax
                                                                                                                                                                          mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                                          pop edi
                                                                                                                                                                          mov dword ptr [ebp-04h], eax
                                                                                                                                                                          pop esi
                                                                                                                                                                          test eax, eax
                                                                                                                                                                          je 00007FA36C8CF20Eh
                                                                                                                                                                          test byte ptr [eax], 00000008h
                                                                                                                                                                          je 00007FA36C8CF209h
                                                                                                                                                                          mov dword ptr [ebp-0Ch], 00004000h

                                                                                                                                                                          Rich Headers

                                                                                                                                                                          Programming Language:
                                                                                                                                                                          • [ASM] VS2008 build 21022
                                                                                                                                                                          • [ C ] VS2008 build 21022
                                                                                                                                                                          • [C++] VS2008 build 21022
                                                                                                                                                                          • [IMP] VS2005 build 50727
                                                                                                                                                                          • [RES] VS2008 build 21022
                                                                                                                                                                          • [LNK] VS2008 build 21022

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd1d1c0x3c.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x28b60000x110c0.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xd15e80x18.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd15a00x40.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0xc0000x190.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000xa57d0xa6009135af4396464594ec8943b7f6ddf2e8False0.6169051204819277data6.573053925701319IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0xc0000xc664e0xc680049378c041b52dc0130c0f1869fd5d0fdFalse0.9043903494962217data7.681658028657697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0xd30000x27e13000x1e0085b8d231f6e44b17cc3549aaac16b49bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .tls0x28b50000x9cd0xa00b85f229e4962d23b2bc27d3fefa72e8eFalse0.010546875data0.004986070829181356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .rsrc0x28b60000x110c00x11200f2f02b699c081e8231dd4f4d64e53262False0.43772810218978103data5.004745094465725IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          ZASAXUJUWEN0x28c26480x476ASCII text, with very long lines (1142), with no line terminatorsTurkishTurkey0.6243432574430823
                                                                                                                                                                          RT_CURSOR0x28c2ae80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.31023454157782515
                                                                                                                                                                          RT_CURSOR0x28c39a80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                                                                                                          RT_CURSOR0x28c3ad80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                                                                                                          RT_ICON0x28b66900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.43550106609808104
                                                                                                                                                                          RT_ICON0x28b75380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.575812274368231
                                                                                                                                                                          RT_ICON0x28b7de00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6422811059907834
                                                                                                                                                                          RT_ICON0x28b84a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6914739884393064
                                                                                                                                                                          RT_ICON0x28b8a100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.5309128630705394
                                                                                                                                                                          RT_ICON0x28bafb80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.6061475409836066
                                                                                                                                                                          RT_ICON0x28bb9400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.6365248226950354
                                                                                                                                                                          RT_ICON0x28bbe100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.43976545842217485
                                                                                                                                                                          RT_ICON0x28bccb80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.5654332129963899
                                                                                                                                                                          RT_ICON0x28bd5600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6094470046082949
                                                                                                                                                                          RT_ICON0x28bdc280x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.6690751445086706
                                                                                                                                                                          RT_ICON0x28be1900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.39439834024896264
                                                                                                                                                                          RT_ICON0x28c07380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.4223733583489681
                                                                                                                                                                          RT_ICON0x28c17e00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.44672131147540983
                                                                                                                                                                          RT_ICON0x28c21680x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.44592198581560283
                                                                                                                                                                          RT_STRING0x28c62880x7cdata0.6532258064516129
                                                                                                                                                                          RT_STRING0x28c63080x60adata0.42755498059508407
                                                                                                                                                                          RT_STRING0x28c69180xc8data0.58
                                                                                                                                                                          RT_STRING0x28c69e00x59edata0.43671766342141866
                                                                                                                                                                          RT_STRING0x28c6f800x13adata0.5445859872611465
                                                                                                                                                                          RT_ACCELERATOR0x28c2ac00x28data1.0
                                                                                                                                                                          RT_GROUP_CURSOR0x28c39900x14data1.25
                                                                                                                                                                          RT_GROUP_CURSOR0x28c60800x22data1.088235294117647
                                                                                                                                                                          RT_GROUP_ICON0x28bbda80x68dataTurkishTurkey0.7115384615384616
                                                                                                                                                                          RT_GROUP_ICON0x28c25d00x76dataTurkishTurkey0.6779661016949152
                                                                                                                                                                          RT_VERSION0x28c60a80x1e0data0.5708333333333333

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          KERNEL32.dllEnumCalendarInfoA, GetConsoleAliasesLengthW, GetLocaleInfoA, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, GetComputerNameW, UnlockFile, FreeEnvironmentStringsA, GetModuleHandleW, IsBadReadPtr, GetDateFormatA, EnumTimeFormatsW, SetCommState, LoadLibraryW, GetConsoleAliasExesLengthW, FindNextVolumeW, GetModuleFileNameW, SetConsoleTitleA, GlobalUnfix, SetCurrentDirectoryA, GetProcAddress, GetProcessHeaps, LoadLibraryA, LocalAlloc, SetCalendarInfoW, GetFileType, SetConsoleDisplayMode, WaitForMultipleObjects, BuildCommDCBA, VirtualProtect, GetCurrentDirectoryA, FindAtomW, SetFileAttributesW, GetVolumeInformationW, LocalFileTimeToFileTime, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, EnterCriticalSection, LeaveCriticalSection, WriteFile, GetStdHandle, GetModuleFileNameA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                                                                                                                                                                          USER32.dllGetProcessDefaultLayout

                                                                                                                                                                          Possible Origin

                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                          TurkishTurkey

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Snort IDS Alerts

                                                                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                          04/19/24-07:32:13.951565TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          04/19/24-07:32:48.720190TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          04/19/24-07:32:27.323927TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          04/19/24-07:32:13.712283TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          04/19/24-07:32:13.946011TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          04/19/24-07:33:01.046159TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          04/19/24-07:32:47.920285TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          04/19/24-07:32:01.936877TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          04/19/24-07:33:08.467646TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          04/19/24-07:32:05.531331TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          04/19/24-07:32:02.132219TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          04/19/24-07:32:02.374234TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          04/19/24-07:32:31.759927TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          04/19/24-07:32:28.378017TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          04/19/24-07:32:23.533848TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949717147.45.47.93192.168.2.5

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Apr 19, 2024 07:32:01.694596052 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:01.913423061 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:01.913507938 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:01.936877012 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:02.132219076 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:02.155352116 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:02.155448914 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:02.248797894 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:02.374233961 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:02.420599937 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:02.517605066 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:05.531331062 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:05.718803883 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:05.718909025 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:05.718986988 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:05.720396042 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:05.720429897 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:05.753982067 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:05.795602083 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:05.942301035 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:05.942425966 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:05.959703922 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:05.959738016 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:05.960058928 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:06.092475891 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:06.829210043 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:06.872160912 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:06.964083910 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:06.964473009 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:06.967998028 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:06.971110106 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:06.971158981 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:06.971190929 CEST49705443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:06.971206903 CEST4434970534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.085124969 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.085180044 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.085463047 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.085649967 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.085659027 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.317827940 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.318185091 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.628595114 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.628616095 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.629653931 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.632000923 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.676115036 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.902844906 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.903038979 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.903168917 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.904264927 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.904264927 CEST49706443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:07.904310942 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.904325962 CEST44349706172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:07.904831886 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:08.160588026 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.233329058 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:08.459450006 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.561446905 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:08.790456057 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790472984 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790488958 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790613890 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:08.790647984 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790682077 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790694952 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790709972 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790724993 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790738106 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790741920 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:08.790741920 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:08.790752888 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:08.790788889 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:08.790788889 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:09.009552956 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:09.009573936 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:09.009587049 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:09.009602070 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:09.009620905 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:09.009782076 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:09.092546940 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:09.108489990 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:09.335546970 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:09.440009117 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:09.663137913 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:09.795614958 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.269059896 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.490614891 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:13.490700006 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.503201962 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.507884026 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.712282896 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:13.724597931 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:13.724652052 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.729682922 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:13.729784966 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.743339062 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.827083111 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:13.946011066 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:13.951565027 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:14.017651081 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:14.061367989 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:14.061436892 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:14.097333908 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:14.283113956 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:14.405141115 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:14.673784018 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:17.124097109 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:17.392476082 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:17.547239065 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:17.814590931 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:19.628000975 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:19.764446020 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:20.253592968 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.452111959 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:20.507070065 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.507106066 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.507188082 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.508337021 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.508352041 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.516192913 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.516226053 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.516285896 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.517662048 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.517688036 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.728985071 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.729073048 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.730590105 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.730601072 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.731378078 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.736649990 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.736733913 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.738770008 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.738787889 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.739134073 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.936152935 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.936865091 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:20.948127031 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:20.952115059 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:22.982486010 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:23.028110981 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.095176935 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:23.114242077 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.114383936 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.114443064 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:23.114788055 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:23.114801884 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.114816904 CEST49716443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:23.114821911 CEST4434971634.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.116128922 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:23.117383003 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.117403984 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.117640972 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.118010998 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.118025064 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.160116911 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.250050068 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.250164986 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.250312090 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:23.250484943 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:23.250484943 CEST49715443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:23.250511885 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.250519991 CEST4434971534.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.261881113 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.261898041 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.262065887 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.262403011 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.262413025 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.314449072 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.314542055 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:23.335011005 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.335095882 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.336477041 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.336492062 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.336839914 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.338151932 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.340553045 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:23.380141020 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.487751007 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.487843037 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.489115953 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.489125967 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.490155935 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.491452932 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.532125950 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.533848047 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.611217022 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.655118942 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:23.660269976 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.660367966 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.660542965 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.660614014 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.660640955 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.660669088 CEST49718443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.660682917 CEST44349718172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.660959959 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:23.820192099 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.820441961 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.820599079 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.820599079 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.820599079 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:23.820962906 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:23.923675060 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.927226067 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:23.967514992 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:23.983283043 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.066724062 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.154983044 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.155004978 CEST49719443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:24.155015945 CEST44349719172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.155384064 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.210014105 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.264360905 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.311460972 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.384412050 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.467483044 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.483268976 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.540173054 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540220022 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540257931 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540294886 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540322065 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.540332079 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540369034 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540370941 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.540405035 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540416002 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.540440083 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540476084 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540509939 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.540513992 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.540537119 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.540589094 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.751605034 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.762134075 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.762159109 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.762176037 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.762192965 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.762209892 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:24.762214899 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.762275934 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:24.858196020 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:25.126995087 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:26.655107975 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:26.923583984 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:27.323926926 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:27.452117920 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:27.670552015 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:27.764364958 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:27.932651043 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:28.134639978 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:28.154412985 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:28.156112909 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:28.172681093 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:28.378016949 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:28.410048008 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:28.440192938 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:28.467503071 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.742821932 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.742872000 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.742909908 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.742961884 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.742971897 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.743000984 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.743015051 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.743038893 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.743077040 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.743114948 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.743124962 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.743151903 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.743160963 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.743190050 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.743246078 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.759927034 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.772377014 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.780546904 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.951889038 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.964694023 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.964744091 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.964782000 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.964818001 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.964832067 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.964858055 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:31.964867115 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:31.998900890 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:32.048785925 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:32.173518896 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:32.264379025 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:32.267575026 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:32.453139067 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:32.453197002 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:32.453258991 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:32.454653978 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:32.454670906 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:32.589240074 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:32.672892094 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:32.673006058 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:32.677268028 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:32.677299023 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:32.677582979 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:32.764384031 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:32.865118027 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.491621971 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:33.491925001 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:33.710470915 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.710556030 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:33.779690981 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:33.819865942 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.820163012 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.912012100 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.912436962 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.912687063 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:33.912822962 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:33.912837982 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.912866116 CEST49722443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:33.912874937 CEST4434972234.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.937279940 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:33.937314034 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.937575102 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:33.937964916 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:33.937982082 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:33.951895952 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:33.970791101 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.156691074 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.156769037 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:34.159161091 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:34.159168959 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.159487009 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.161036015 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:34.204144955 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.476979017 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.477085114 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.477289915 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:34.709165096 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.733453035 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:34.821465015 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:34.821496964 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.821515083 CEST49723443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:34.821523905 CEST44349723172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:34.821903944 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.003312111 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.058820963 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.077079058 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.184750080 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.184803963 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.184875011 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.185714006 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.185728073 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.316327095 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.318574905 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.408901930 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.408987045 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.419425964 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.419437885 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.420665026 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.420725107 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.437066078 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.467639923 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.480122089 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649365902 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649429083 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649481058 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649521112 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.649530888 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649580956 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649630070 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649630070 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.649678946 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649693966 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.649732113 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649776936 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.649782896 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649832964 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.649883032 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.720423937 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.720558882 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.720611095 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.722157955 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.729475021 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.729501009 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.729536057 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                          Apr 19, 2024 07:32:35.729542017 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.868371964 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.868438959 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.868489981 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.868519068 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.868542910 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.868585110 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.868592978 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:35.879722118 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:35.956646919 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.004569054 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.004730940 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:36.060414076 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:36.060450077 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.060636044 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:36.061059952 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:36.061069965 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.116405964 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.155374050 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:36.202187061 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:36.267872095 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.284729004 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.284804106 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:36.286428928 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:36.286437035 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.286695957 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.287846088 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:36.328129053 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.426816940 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.467490911 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:36.645490885 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.645782948 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.645855904 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:36.670860052 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:36.889729977 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.893136024 CEST5870949704147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:36.893192053 CEST4970458709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:37.617485046 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:37.617520094 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:37.617535114 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                          Apr 19, 2024 07:32:37.617541075 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:37.617971897 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:37.864729881 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:37.966145992 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.194252014 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.264364004 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.295795918 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.525096893 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525125980 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525140047 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525158882 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525176048 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525191069 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.525207996 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525223970 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.525229931 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525242090 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525250912 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.525266886 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525285006 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.525296926 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.525405884 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.749418974 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.749444008 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.749464035 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.749500990 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.749526978 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.749545097 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:38.749566078 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:38.858163118 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:39.116801023 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:39.186827898 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:39.412602901 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:39.451991081 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:43.736682892 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:43.737164021 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:44.001621008 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:44.017971039 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:44.018212080 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:44.283123016 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:47.920284986 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:48.146488905 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:48.264369965 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:48.720190048 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:48.972827911 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:49.155005932 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:57.393512011 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:57.451901913 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:57.657888889 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:57.923763037 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:58.504767895 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:58.504867077 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:58.726736069 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:58.726771116 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:58.726826906 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:32:59.001899004 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:00.773241043 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:00.773286104 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:00.994882107 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:00.994923115 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:00.994946003 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:01.046159029 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:01.267477036 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:01.268384933 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:01.451901913 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:01.670739889 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:01.895340919 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:01.895962954 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:01.967525005 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:02.223763943 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:02.487940073 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:03.855781078 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:04.077145100 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:05.580740929 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:05.580820084 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:05.626945019 CEST5870949707147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:05.627005100 CEST4970758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:06.530746937 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:06.530802965 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:06.752690077 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:06.752770901 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:06.752916098 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:07.020229101 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:07.351771116 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:07.351861000 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:07.570565939 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:07.570642948 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:07.570653915 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:07.829907894 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:08.467645884 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:08.691193104 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:08.733143091 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:09.547466993 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:09.769263029 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:09.784499884 CEST5870949721147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:09.786493063 CEST4972158709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:10.436517954 CEST4971758709192.168.2.5147.45.47.93
                                                                                                                                                                          Apr 19, 2024 07:33:10.656281948 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:10.658401012 CEST5870949717147.45.47.93192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:33:10.658468962 CEST4971758709192.168.2.5147.45.47.93

                                                                                                                                                                          UDP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Apr 19, 2024 07:32:05.607618093 CEST5394153192.168.2.51.1.1.1
                                                                                                                                                                          Apr 19, 2024 07:32:05.712594986 CEST53539411.1.1.1192.168.2.5
                                                                                                                                                                          Apr 19, 2024 07:32:06.974481106 CEST5927653192.168.2.51.1.1.1
                                                                                                                                                                          Apr 19, 2024 07:32:07.080862045 CEST53592761.1.1.1192.168.2.5

                                                                                                                                                                          DNS Queries

                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Apr 19, 2024 07:32:05.607618093 CEST192.168.2.51.1.1.10xf1f0Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                                                                          Apr 19, 2024 07:32:06.974481106 CEST192.168.2.51.1.1.10x6681Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Apr 19, 2024 07:32:05.712594986 CEST1.1.1.1192.168.2.50xf1f0No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                                                                          Apr 19, 2024 07:32:07.080862045 CEST1.1.1.1192.168.2.50x6681No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                                                                                                                                          Apr 19, 2024 07:32:07.080862045 CEST1.1.1.1192.168.2.50x6681No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                                                                                                                                          Apr 19, 2024 07:32:07.080862045 CEST1.1.1.1192.168.2.50x6681No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false

                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                          • https:
                                                                                                                                                                            • ipinfo.io
                                                                                                                                                                          • db-ip.com

                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.54970534.117.186.1924436604C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:06 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                          2024-04-19 05:32:06 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                          date: Fri, 19 Apr 2024 05:32:06 GMT
                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                          x-envoy-upstream-service-time: 4
                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-04-19 05:32:06 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                          2024-04-19 05:32:06 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.549706172.67.75.1664436604C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:07 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                          2024-04-19 05:32:07 UTC662INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 19 Apr 2024 05:32:07 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          x-iplb-request-id: 6CA2ED5B:EB74_93878F2E:0050_662201D7_8CFD5E9:4F34
                                                                                                                                                                          x-iplb-instance: 59215
                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9%2FUCJHiSuUx6Pj0VcT25wAQsVXYm1Zxd%2B1t4jiF2C3pKL1%2FkKQgAagbWPZhd7qnceprBIfw0kQfk95F5oVr1VusMonU%2Beo39DeNJP51G2V%2Bo8%2B1r3oT6hR%2FfHw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 876a8323f99a080b-ATL
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          2024-04-19 05:32:07 UTC699INData Raw: 32 62 34 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a
                                                                                                                                                                          Data Ascii: 2b4{"status":"ok","demoInfo":{"ipAddress":"81.181.57.52","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":
                                                                                                                                                                          2024-04-19 05:32:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.54971634.117.186.1924436340C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:22 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                          2024-04-19 05:32:23 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                          date: Fri, 19 Apr 2024 05:32:23 GMT
                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                          x-envoy-upstream-service-time: 1
                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-04-19 05:32:23 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                          2024-04-19 05:32:23 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          3192.168.2.54971534.117.186.1924437088C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:23 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                          2024-04-19 05:32:23 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                          date: Fri, 19 Apr 2024 05:32:23 GMT
                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                          x-envoy-upstream-service-time: 2
                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-04-19 05:32:23 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                          2024-04-19 05:32:23 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          4192.168.2.549718172.67.75.1664436340C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:23 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                          2024-04-19 05:32:23 UTC660INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 19 Apr 2024 05:32:23 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          x-iplb-request-id: AC471634:DAB6_93878F2E:0050_662201E7_8CFD7A6:4F34
                                                                                                                                                                          x-iplb-instance: 59215
                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dSYgvgN%2BkpfQ6v6gWK27%2B%2BfmWLKcF2MptcJswBQKd2fpkq2iLAptjSubOM3Zke61a6Q172VaVdgHxm7abKgk0o%2F3KtRSZh0%2F%2FiRvYxHYYwmXd7tdHRRKVJrIUw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 876a83870bd0b082-ATL
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          2024-04-19 05:32:23 UTC699INData Raw: 32 62 34 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a
                                                                                                                                                                          Data Ascii: 2b4{"status":"ok","demoInfo":{"ipAddress":"81.181.57.52","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":
                                                                                                                                                                          2024-04-19 05:32:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          5192.168.2.549719172.67.75.1664437088C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:23 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                          2024-04-19 05:32:23 UTC662INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 19 Apr 2024 05:32:23 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          x-iplb-request-id: AC4547D7:C8C0_93878F2E:0050_662201E7_8CD918D:7B63
                                                                                                                                                                          x-iplb-instance: 59128
                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yZbC%2FIRaPNsDa%2FbaRBqnwI2k0h3y21W8Bq4ICes%2F8mAdecN020DM8r%2Bl%2BF%2B2QbE8YTOU7g1%2F9ezgwvontsTYnLcGMYtA898lwE4vL4HW1dlBNj6YkPbFxqxtIw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 876a8387fa7f6788-ATL
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          2024-04-19 05:32:23 UTC699INData Raw: 32 62 34 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a
                                                                                                                                                                          Data Ascii: 2b4{"status":"ok","demoInfo":{"ipAddress":"81.181.57.52","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":
                                                                                                                                                                          2024-04-19 05:32:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          6192.168.2.54972234.117.186.1924434816C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:33 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                          2024-04-19 05:32:33 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                          date: Fri, 19 Apr 2024 05:32:33 GMT
                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                          x-envoy-upstream-service-time: 2
                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-04-19 05:32:33 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                          2024-04-19 05:32:33 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          7192.168.2.549723172.67.75.1664434816C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:34 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                          2024-04-19 05:32:34 UTC650INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 19 Apr 2024 05:32:34 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          x-iplb-request-id: AC4546BD:3782_93878F2E:0050_662201F2_8CD92E2:7B63
                                                                                                                                                                          x-iplb-instance: 59128
                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ad08I3f%2Bg0Pd5wDszxge2gMmWVl9PePa8OinUdL3P7neSLWYdeSOedMHnBCa8CyO7AB1dnci49Xs7DpCyvS4I6UQVWobQmDPCK9XOI4fom1jHx43LUb0yNgUxw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 876a83caab3d6735-ATL
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          2024-04-19 05:32:34 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                          2024-04-19 05:32:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                          8192.168.2.54972434.117.186.192443
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:35 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                          2024-04-19 05:32:35 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                          date: Fri, 19 Apr 2024 05:32:35 GMT
                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                          x-envoy-upstream-service-time: 3
                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-04-19 05:32:35 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                          2024-04-19 05:32:35 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                          9192.168.2.549725172.67.75.166443
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-04-19 05:32:36 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                          2024-04-19 05:32:36 UTC656INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Fri, 19 Apr 2024 05:32:36 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                          Connection: close
                                                                                                                                                                          x-iplb-request-id: AC454741:4E06_93878F2E:0050_662201F4_8CD932E:7B63
                                                                                                                                                                          x-iplb-instance: 59128
                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F0bFXMtbxKji8Ajku8gGroxenTWbXk7ddxwnx%2BotxERAAbokkTwSx%2BoRbMzMgMRCAR2Hwcm3ull1pBVJiaSYeiN%2BkmpEa3jQTKIWwiTS4eWoQ6obpbaJfy%2BDZw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 876a83d7fb204584-ATL
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          2024-04-19 05:32:36 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                          2024-04-19 05:32:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:07:31:55
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\s2dwlCsA95.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\s2dwlCsA95.exe"
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:936'960 bytes
                                                                                                                                                                          MD5 hash:360F5B40A6CBC8F99639D6989A3FD0AC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2380582113.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2380919991.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2415246869.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2381605815.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2415935130.000000000494C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2415707420.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2416554344.0000000007A00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:07:32:00
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                          Imagebase:0xf40000
                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:3
                                                                                                                                                                          Start time:07:32:00
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:07:32:00
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                          Imagebase:0xf40000
                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:07:32:00
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:8
                                                                                                                                                                          Start time:07:32:00
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 868
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:9
                                                                                                                                                                          Start time:07:32:01
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:936'960 bytes
                                                                                                                                                                          MD5 hash:360F5B40A6CBC8F99639D6989A3FD0AC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2826478110.000000000796A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2826478110.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2825584090.000000000496E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                          • Detection: 47%, ReversingLabs
                                                                                                                                                                          • Detection: 51%, Virustotal, Browse
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:10
                                                                                                                                                                          Start time:07:32:01
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:936'960 bytes
                                                                                                                                                                          MD5 hash:360F5B40A6CBC8F99639D6989A3FD0AC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.2838613452.0000000004945000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2631101956.0000000007983000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2630742381.0000000007983000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.2839750203.0000000007987000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2630813730.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2631558554.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2631457958.0000000007983000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2631172078.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2632111137.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2631820625.0000000007987000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:12
                                                                                                                                                                          Start time:07:32:02
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 960
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:14
                                                                                                                                                                          Start time:07:32:02
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1008
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:16
                                                                                                                                                                          Start time:07:32:03
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1008
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:18
                                                                                                                                                                          Start time:07:32:04
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 984
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:20
                                                                                                                                                                          Start time:07:32:05
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1384
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:22
                                                                                                                                                                          Start time:07:32:06
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1016
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:24
                                                                                                                                                                          Start time:07:32:09
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 812
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:26
                                                                                                                                                                          Start time:07:32:09
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 780
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:28
                                                                                                                                                                          Start time:07:32:09
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1872
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:29
                                                                                                                                                                          Start time:07:32:12
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:936'960 bytes
                                                                                                                                                                          MD5 hash:360F5B40A6CBC8F99639D6989A3FD0AC
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000002.2847854867.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000003.2719158457.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000002.2847854867.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000003.2719409895.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000003.2719285122.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001D.00000002.2847042300.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 47%, ReversingLabs
                                                                                                                                                                          • Detection: 51%, Virustotal, Browse
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:34
                                                                                                                                                                          Start time:07:32:13
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1908
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:35
                                                                                                                                                                          Start time:07:32:14
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 900
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:36
                                                                                                                                                                          Start time:07:32:14
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 872
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:40
                                                                                                                                                                          Start time:07:32:17
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1876
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:41
                                                                                                                                                                          Start time:07:32:17
                                                                                                                                                                          Start date:19/04/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 932
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Disassembly

                                                                                                                                                                          No disassembly