Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1429092
MD5:a815d2d73a30dfcab21000b326b29c13
SHA1:b9ec12b977b9ee6ecdcb74c7e718ad4018755625
SHA256:9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Country aware sample found (crashes after keyboard check)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A815D2D73A30DFCAB21000B326B29C13)
    • schtasks.exe (PID: 7492 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7540 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 848 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 960 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 972 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 976 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 976 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1396 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 996 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7548 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A815D2D73A30DFCAB21000B326B29C13)
    • WerFault.exe (PID: 7756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 808 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2912 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7336 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 908 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 936 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 936 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7716 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A815D2D73A30DFCAB21000B326B29C13)
    • WerFault.exe (PID: 8004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 888 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 884 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 900 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7252 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 908 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\rTXApvaKL9yw6N5oqHITZ9U.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\HZqMYfpyMfdfHfQja15Vpq6.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      C:\Users\user\AppData\Local\Temp\ax62Lo_zBXq90uwBqgwbr3X.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000002.2374176971.0000000006728000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000004.00000002.2371863766.0000000001B1E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000004.00000002.2373416291.0000000003707000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
            • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
            00000000.00000002.2081219970.000000000370D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
            • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
            00000009.00000002.2305457236.00000000035A1000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
            • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.MPGPH131.exe.400000.0.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              9.2.MPGPH131.exe.3830e67.1.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                4.2.MPGPH131.exe.38e0e67.1.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                  4.2.MPGPH131.exe.400000.0.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                    0.2.file.exe.400000.0.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                      Click to see the 7 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7448, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                      Snort Signatures

                      Timestamp:04/20/24-20:05:38.687787
                      SID:2046269
                      Source Port:49731
                      Destination Port:58709
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:02.409597
                      SID:2046267
                      Source Port:58709
                      Destination Port:49730
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:01.031788
                      SID:2046266
                      Source Port:58709
                      Destination Port:49730
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:05.549113
                      SID:2046269
                      Source Port:49730
                      Destination Port:58709
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:58.481493
                      SID:2046269
                      Source Port:49745
                      Destination Port:58709
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:00.821645
                      SID:2049060
                      Source Port:49730
                      Destination Port:58709
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:05.669470
                      SID:2046266
                      Source Port:58709
                      Destination Port:49732
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:03.174322
                      SID:2046266
                      Source Port:58709
                      Destination Port:49731
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:08.957422
                      SID:2046267
                      Source Port:58709
                      Destination Port:49731
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:09.034376
                      SID:2046267
                      Source Port:58709
                      Destination Port:49732
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:54.187156
                      SID:2046269
                      Source Port:49744
                      Destination Port:58709
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:24.937277
                      SID:2046266
                      Source Port:58709
                      Destination Port:49745
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:41.718793
                      SID:2046269
                      Source Port:49732
                      Destination Port:58709
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:19.057028
                      SID:2046266
                      Source Port:58709
                      Destination Port:49744
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:25.800661
                      SID:2046267
                      Source Port:58709
                      Destination Port:49744
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/20/24-20:05:36.860964
                      SID:2046267
                      Source Port:58709
                      Destination Port:49745
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://193.233.132.167/cost/lenin.exeURL Reputation: Label: malware
                      Multi AV Scanner detection for domain / URL
                      Source: http://147.45.47.102:57893/hera/amadka.exeVirustotal: Detection: 18%Perma Link
                      Source: http://193.233.132.167/cost/go.exeVirustotal: Detection: 24%Perma Link
                      Source: http://193.233.132.167/cost/lenin.exeUserVirustotal: Detection: 23%Perma Link
                      Source: http://193.233.132.167/cost/go.exelaterVirustotal: Detection: 23%Perma Link
                      Source: http://147.45.47.102:57893/hera/amadka.exe68.0Virustotal: Detection: 15%Perma Link
                      Source: http://193.233.132.167/cost/go.exe/Virustotal: Detection: 24%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 36%
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 44%Perma Link
                      Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 44%Perma Link
                      Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 36%
                      Machine Learning detection for dropped file
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: file.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041F3EB CryptUnprotectData,LocalFree,0_2_0041F3EB
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041F3EB CryptUnprotectData,LocalFree,4_2_0041F3EB

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 4.2.MPGPH131.exe.400000.0.unpack
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
                      Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49734 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49739 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49756 version: TLS 1.2
                      Source: Binary string: C:\marahakogori-butukewu_zovo.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,0_2_0040E7B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,0_2_004DB1CB
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_0040B300
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_0041FA10
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,4_2_0040E7B0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,4_2_004DB1CB
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,4_2_0040B300
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,4_2_0041FA10
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,4_2_0043EAEB
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,4_2_004DB251
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043FBB9 FindFirstFileA,FindNextFileA,GetLastError,FindClose,CreateFileA,GetFileSize,ReadFile,CloseHandle,4_2_0043FBB9
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_30d4bf65-0144-4d41-a1e5-2d1f034d6932\
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_236d6df2-efc0-4d22-90e1-905525e0d691\

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
                      Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
                      Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
                      Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49731
                      Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
                      Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49732
                      Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 147.45.47.93:58709
                      Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 147.45.47.93:58709
                      Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49731
                      Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49732
                      Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49744
                      Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49744 -> 147.45.47.93:58709
                      Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49745
                      Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49744
                      Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49745 -> 147.45.47.93:58709
                      Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49745
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
                      Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                      Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                      Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
                      Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
                      Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: unknownDNS query: name: ipinfo.io
                      Source: unknownDNS query: name: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,0_2_0041E220
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                      Source: unknownDNS traffic detected: queries for: ipinfo.io
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exef
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe/
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeIdser
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exelater
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeoin7FwmBKlOFG
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeomanialisherQ
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe.exeData.
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe81.57.52
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeUser
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeania
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeerty.jaxx
                      Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                      Source: file.exe, file.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                      Source: file.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/0
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52l
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52o
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52u_
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52d
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C41000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/=R
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/M2_&
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                      Source: file.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2080428663.0000000001B5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52b
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52ey
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52u
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
                      Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org
                      Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                      Source: file.exe, 00000000.00000003.1863448564.0000000006793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213504678.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2102868244.00000000067A3000.00000004.00000020.00020000.00000000.sdmp, 8MhogtJMRILwHistory.0.dr, sANT26gQMwt7History.4.dr, fzOGBVhWIKhlHistory.4.dr, uUNSZzd9cNCaHistory.9.dr, Sbg9DSp7lstNHistory.0.dr, Z2XBcxuCaxhxHistory.9.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                      Source: 8MhogtJMRILwHistory.0.dr, sANT26gQMwt7History.4.dr, fzOGBVhWIKhlHistory.4.dr, uUNSZzd9cNCaHistory.9.dr, Sbg9DSp7lstNHistory.0.dr, Z2XBcxuCaxhxHistory.9.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                      Source: file.exe, 00000000.00000003.1863448564.0000000006793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213504678.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2102868244.00000000067A3000.00000004.00000020.00020000.00000000.sdmp, 8MhogtJMRILwHistory.0.dr, sANT26gQMwt7History.4.dr, fzOGBVhWIKhlHistory.4.dr, uUNSZzd9cNCaHistory.9.dr, Sbg9DSp7lstNHistory.0.dr, Z2XBcxuCaxhxHistory.9.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                      Source: 8MhogtJMRILwHistory.0.dr, sANT26gQMwt7History.4.dr, fzOGBVhWIKhlHistory.4.dr, uUNSZzd9cNCaHistory.9.dr, Sbg9DSp7lstNHistory.0.dr, Z2XBcxuCaxhxHistory.9.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.S
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B0E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081934645.0000000006720000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2374176971.0000000006728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C07000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmp, rTXApvaKL9yw6N5oqHITZ9U.zip.4.dr, HZqMYfpyMfdfHfQja15Vpq6.zip.0.dr, ax62Lo_zBXq90uwBqgwbr3X.zip.9.drString found in binary or memory: https://t.me/RiseProSUPPORT
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT0o
                      Source: MPGPH131.exe, 00000004.00000002.2374176971.0000000006728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTa
                      Source: MPGPH131.exe, 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTs
                      Source: MPGPH131.exe, 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT~
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2240485249.00000000067AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.0.dr, passwords.txt.4.drString found in binary or memory: https://t.me/risepro_bot
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_both
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlaterT
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botriseproon1
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: file.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                      Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org
                      Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                      Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/(
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/:
                      Source: file.exe, 00000000.00000003.1862531122.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1862749156.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863180370.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864385278.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863589514.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863761310.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864172189.000000000676E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2374176971.000000000675E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2306103257.000000000676A000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.4.dr, 3b6N2Xdh3CYwplaces.sqlite.9.dr, D87fZN3R3jFeplaces.sqlite.4.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/r6GX4f
                      Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/e3
                      Source: file.exe, 00000000.00000003.1862531122.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1862749156.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863180370.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864385278.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863589514.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863761310.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864172189.000000000676E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2374176971.000000000675E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2306103257.000000000676A000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.4.dr, 3b6N2Xdh3CYwplaces.sqlite.9.dr, D87fZN3R3jFeplaces.sqlite.4.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/her.dbuG
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refox1
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49734 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49739 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49756 version: TLS 1.2
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040BAC0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,4_2_0040BAC0

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 00000004.00000002.2373416291.0000000003707000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000000.00000002.2081219970.000000000370D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000009.00000002.2305457236.00000000035A1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004460200_2_00446020
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044C1600_2_0044C160
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004281800_2_00428180
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004964500_2_00496450
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004064300_2_00406430
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004224D90_2_004224D9
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C4900_2_0040C490
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045A4900_2_0045A490
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004564A00_2_004564A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048C5600_2_0048C560
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004585200_2_00458520
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004387700_2_00438770
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004247300_2_00424730
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7B00_2_0040E7B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043C8000_2_0043C800
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044A8F00_2_0044A8F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004429400_2_00442940
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C9800_2_0042C980
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043CA900_2_0043CA90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434B200_2_00434B20
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042EB900_2_0042EB90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045CC400_2_0045CC40
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00440C100_2_00440C10
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD500_2_0040CD50
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00490E400_2_00490E40
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E925D0_2_004E925D
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048D2500_2_0048D250
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CB3C00_2_004CB3C0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004314300_2_00431430
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045B4B00_2_0045B4B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043B65D0_2_0043B65D
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004236700_2_00423670
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042B6700_2_0042B670
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004176B00_2_004176B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043B7500_2_0043B750
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004378A00_2_004378A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431BE00_2_00431BE0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE50_2_0045DDE5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041FF090_2_0041FF09
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BFC00_2_0040BFC0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048BFB00_2_0048BFB0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048E0400_2_0048E040
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049A1600_2_0049A160
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004901000_2_00490100
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D02E00_2_004D02E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004202AA0_2_004202AA
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048E35B0_2_0048E35B
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004223600_2_00422360
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D43100_2_004D4310
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E03D00_2_004E03D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004024100_2_00402410
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004944E00_2_004944E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004164900_2_00416490
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004026000_2_00402600
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004846200_2_00484620
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004228520_2_00422852
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004908600_2_00490860
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004460204_2_00446020
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004281804_2_00428180
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004964504_2_00496450
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004064304_2_00406430
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004224D94_2_004224D9
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040C4904_2_0040C490
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045A4904_2_0045A490
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004564A04_2_004564A0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048C5604_2_0048C560
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004585204_2_00458520
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004026004_2_00402600
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004387704_2_00438770
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004247304_2_00424730
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040E7B04_2_0040E7B0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043C8004_2_0043C800
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0044A8F04_2_0044A8F0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004429404_2_00442940
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0042C9804_2_0042C980
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043CA904_2_0043CA90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00434B204_2_00434B20
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0042EB904_2_0042EB90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045CC404_2_0045CC40
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00440C104_2_00440C10
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040CD504_2_0040CD50
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004E925D4_2_004E925D
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048D2504_2_0048D250
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004CB3C04_2_004CB3C0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004314304_2_00431430
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045B4B04_2_0045B4B0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043B65D4_2_0043B65D
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004236704_2_00423670
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0042B6704_2_0042B670
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004176B04_2_004176B0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043B7504_2_0043B750
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004378A04_2_004378A0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00431BE04_2_00431BE0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045DDE54_2_0045DDE5
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041FF094_2_0041FF09
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040BFC04_2_0040BFC0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048BFB04_2_0048BFB0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048E0404_2_0048E040
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0044C1604_2_0044C160
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0049A1604_2_0049A160
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004901004_2_00490100
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004D02E04_2_004D02E0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004202AA4_2_004202AA
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048E35B4_2_0048E35B
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004223604_2_00422360
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004D43104_2_004D4310
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004E03D04_2_004E03D0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004024104_2_00402410
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004944E04_2_004944E0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004164904_2_00416490
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004846204_2_00484620
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004228524_2_00422852
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004908604_2_00490860
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043EAEB4_2_0043EAEB
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004D2A904_2_004D2A90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00486AA04_2_00486AA0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004D0B304_2_004D0B30
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0044EB904_2_0044EB90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004F6CC54_2_004F6CC5
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048ECA24_2_0048ECA2
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048CD804_2_0048CD80
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00490E404_2_00490E40
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0049EE704_2_0049EE70
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0049AE204_2_0049AE20
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED04_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00418EE04_2_00418EE0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00482FE04_2_00482FE0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00440FF54_2_00440FF5
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048D0204_2_0048D020
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004CD0804_2_004CD080
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004872704_2_00487270
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0047F3604_2_0047F360
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004834704_2_00483470
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048B4F04_2_0048B4F0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004E959F4_2_004E959F
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004A36EE4_2_004A36EE
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004337404_2_00433740
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004897204_2_00489720
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004497D04_2_004497D0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048F7B04_2_0048F7B0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004B58704_2_004B5870
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004019004_2_00401900
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004BB9E04_2_004BB9E0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004FD9FE4_2_004FD9FE
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004099A04_2_004099A0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00481A304_2_00481A30
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004E3B584_2_004E3B58
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004E5B904_2_004E5B90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0048BC004_2_0048BC00
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00409D904_2_00409D90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004D1E504_2_004D1E50
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00483EF04_2_00483EF0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043FF404_2_0043FF40
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043FF134_2_0043FF13
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00402D00 appears 36 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 0046A190 appears 75 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 0048FE50 appears 31 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00469F00 appears 46 times
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 004DD5B0 appears 54 times
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0048FE50 appears 90 times
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00469F00 appears 58 times
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 004622E0 appears 35 times
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00402D00 appears 42 times
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0046A190 appears 109 times
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 848
                      Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                      Source: file.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs file.exe
                      Source: file.exe, 00000000.00000002.2080367579.0000000001A9B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFires0 vs file.exe
                      Source: file.exe, 00000000.00000003.1693943431.0000000001B79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFires0 vs file.exe
                      Source: file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs file.exe
                      Source: file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenameFires0 vs file.exe
                      Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 00000004.00000002.2373416291.0000000003707000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000000.00000002.2081219970.000000000370D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000009.00000002.2305457236.00000000035A1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/137@2/3
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00492300 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,0_2_00492300
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00491D10 CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,0_2_00491D10
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,0_2_00446020
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7716
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7448
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7548
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: file.exe, file.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: file.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: MPGPH131.exe, 00000004.00000003.2213026223.0000000001C02000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2212582031.0000000001C02000.00000004.00000020.00020000.00000000.sdmp, W5ItwnbOEWbrLogin Data.0.dr, tTQUAdIiirY8Login Data For Account.4.dr, CEYAAajxdr9QLogin Data.4.dr, Bu4fqjuvymtRLogin Data.9.dr, IO6Zwb2pZcpALogin Data For Account.0.dr, 1xsvu65yyJa4Login Data For Account.9.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                      Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                      Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 848
                      Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 808
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 960
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 972
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 976
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 776
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 976
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1396
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 996
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 920
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 888
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 908
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 884
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 936
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 900
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 936
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 908
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\marahakogori-butukewu_zovo.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 4.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 4.2.MPGPH131.exe.400000.0.unpack
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
                      Contains functionality to check for running processes (XOR)
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,4_2_00409D90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState,0_2_0045DDE5
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004C112B push ecx; iretd 4_2_004C112C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004DD189 push ecx; ret 4_2_004DD19C
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                      Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00482FE0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00482FE0
                      Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Country aware sample found (crashes after keyboard check)
                      Source: c:\users\user\desktop\file.exeEvent Logs and Signature results: Application crash and keyboard check
                      Found API chain indicative of sandbox detection
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleep
                      Source: C:\Users\user\Desktop\file.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-51173
                      Found evasive API chain (may stop execution after checking mutex)
                      Source: C:\Users\user\Desktop\file.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-47445
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                      Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-47675
                      Found stalling execution ending in API Sleep call
                      Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleepgraph_0-47452
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                      Source: C:\Users\user\Desktop\file.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,0_2_0045D9F0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,4_2_0045D9F0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                      Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-47575
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Users\user\Desktop\file.exe TID: 7452Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7552Thread sleep count: 70 > 30Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7552Thread sleep count: 50 > 30Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7552Thread sleep count: 36 > 30Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7720Thread sleep count: 76 > 30
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7720Thread sleep count: 36 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h0_2_00464270
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb)0_2_004624B0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h4_2_00464270
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb)4_2_004624B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h0_2_00492190
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h4_2_00492190
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,0_2_0040E7B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,0_2_004DB1CB
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_0040B300
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_0041FA10
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,4_2_0040E7B0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,4_2_004DB1CB
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,4_2_0040B300
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,4_2_0041FA10
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,4_2_0043EAEB
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,4_2_004DB251
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043FBB9 FindFirstFileA,FindNextFileA,GetLastError,FindClose,CreateFileA,GetFileSize,ReadFile,CloseHandle,4_2_0043FBB9
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_30d4bf65-0144-4d41-a1e5-2d1f034d6932\
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_236d6df2-efc0-4d22-90e1-905525e0d691\
                      Source: Amcache.hve.8.drBinary or memory string: VMware
                      Source: MPGPH131.exe, 00000004.00000003.1715351136.0000000001B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
                      Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2080428663.0000000001B5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B6B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                      Source: MPGPH131.exe, 00000004.00000003.1715351136.0000000001B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: MPGPH131.exe, 00000004.00000003.2354415982.0000000001C01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}I;n%
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                      Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}f
                      Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: MPGPH131.exe, 00000004.00000003.2322806640.000000000677E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                      Source: MPGPH131.exe, 00000009.00000003.1740360087.0000000001C68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}r
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_731AF5E4m.
                      Source: MPGPH131.exe, 00000004.00000003.2322806640.000000000677E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_731AF5E49
                      Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                      Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                      Source: MPGPH131.exe, 00000009.00000003.1740360087.0000000001C68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: MPGPH131.exe, 00000009.00000002.2306103257.000000000676A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows~
                      Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}%
                      Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_731AF5E4
                      Source: MPGPH131.exe, 00000009.00000002.2305000838.0000000001C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&P
                      Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                      Source: file.exe, 00000000.00000002.2082090901.0000000006780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
                      Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414870 IsDebuggerPresent,0_2_00414870
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E5D4 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,OutputDebugStringA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_0045E5D4
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState,0_2_0045DDE5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004160B0 mov ecx, dword ptr fs:[00000030h]0_2_004160B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E5D4 mov eax, dword ptr fs:[00000030h]0_2_0045E5D4
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E5D4 mov ecx, dword ptr fs:[00000030h]0_2_0045E5D4
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043CA90 mov eax, dword ptr fs:[00000030h]0_2_0043CA90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]0_2_0045D9F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]0_2_0045D9F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414870 mov eax, dword ptr fs:[00000030h]0_2_00414870
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045E5D4 mov eax, dword ptr fs:[00000030h]4_2_0045E5D4
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045E5D4 mov ecx, dword ptr fs:[00000030h]4_2_0045E5D4
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0043CA90 mov eax, dword ptr fs:[00000030h]4_2_0043CA90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045EA9C mov eax, dword ptr fs:[00000030h]4_2_0045EA9C
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041AB90 mov eax, dword ptr fs:[00000030h]4_2_0041AB90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045D9F0 mov eax, dword ptr fs:[00000030h]4_2_0045D9F0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045D9F0 mov eax, dword ptr fs:[00000030h]4_2_0045D9F0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045DDE5 mov eax, dword ptr fs:[00000030h]4_2_0045DDE5
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045DDE5 mov eax, dword ptr fs:[00000030h]4_2_0045DDE5
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045DDE5 mov eax, dword ptr fs:[00000030h]4_2_0045DDE5
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0045DDE5 mov eax, dword ptr fs:[00000030h]4_2_0045DDE5
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041AB90 mov eax, dword ptr fs:[00000030h]4_2_0041AB90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004160B0 mov ecx, dword ptr fs:[00000030h]4_2_004160B0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041AB90 mov eax, dword ptr fs:[00000030h]4_2_0041AB90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414870 mov eax, dword ptr fs:[00000030h]4_2_00414870
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00414ED0 mov eax, dword ptr fs:[00000030h]4_2_00414ED0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041AB90 mov eax, dword ptr fs:[00000030h]4_2_0041AB90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041EF10 mov eax, dword ptr fs:[00000030h]4_2_0041EF10
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_0041AB90 mov eax, dword ptr fs:[00000030h]4_2_0041AB90
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00482C80 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,4_2_00482C80
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004DD3B4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004DD3B4
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004DD74D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_004DD74D
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004E1C94 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004E1C94

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Contains functionality to inject threads in other processes
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,4_2_00418BB0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 4_2_004149F0 cpuid 4_2_004149F0
                      Source: C:\Users\user\Desktop\file.exeCode function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004FC045
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004FC090
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004FC12B
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004FC1B6
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004F43EA
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004FC409
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004FC532
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004FC638
                      Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004FC70E
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,4_2_0040CD50
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,4_2_004FC045
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,4_2_004FC090
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,4_2_004FC12B
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_004FC1B6
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,4_2_004F43EA
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,4_2_004FC409
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_004FC532
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,4_2_004FC638
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_004FC70E
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,4_2_004F496D
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoEx,FormatMessageA,4_2_004DAFC3
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,4_2_004FBD99
                      Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,0_2_00446020
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F636F GetTimeZoneInformation,0_2_004F636F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00491C30 GetVersionExA,CreateFileW,0_2_00491C30
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe
                      Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RisePro Stealer
                      Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.MPGPH131.exe.3830e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.MPGPH131.exe.38e0e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.MPGPH131.exe.3a40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.file.exe.39f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.MPGPH131.exe.3990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3890e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.2374176971.0000000006728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2371863766.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2081934645.0000000006720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7448, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7716, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rTXApvaKL9yw6N5oqHITZ9U.zip, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\HZqMYfpyMfdfHfQja15Vpq6.zip, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ax62Lo_zBXq90uwBqgwbr3X.zip, type: DROPPED
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
                      Source: file.exe, 00000000.00000003.1927999419.0000000006773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: erty.jaxx
                      Source: file.exe, 00000000.00000002.2081934645.0000000006720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                      Source: file.exe, 00000000.00000002.2081934645.0000000006720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: file.exe, 00000000.00000003.1927999419.0000000006773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
                      Source: file.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                      Source: file.exe, 00000000.00000002.2080428663.0000000001B5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: file.exe, 00000000.00000003.1927999419.0000000006773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                      Source: MPGPH131.exe, 00000004.00000002.2374368799.0000000006761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqliteJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqliteJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqliteJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqliteJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.jsonJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7448, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7716, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RisePro Stealer
                      Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.MPGPH131.exe.3830e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.MPGPH131.exe.38e0e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.MPGPH131.exe.3a40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.file.exe.39f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.MPGPH131.exe.3990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3890e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.2374176971.0000000006728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2371863766.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2081934645.0000000006720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7448, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7716, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rTXApvaKL9yw6N5oqHITZ9U.zip, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\HZqMYfpyMfdfHfQja15Vpq6.zip, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ax62Lo_zBXq90uwBqgwbr3X.zip, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		12
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts22
                      Native API                      		1
                      Scheduled Task/Job                      		11
                      Process Injection                      		2
                      Obfuscated Files or Information                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts2
                      Command and Scripting Interpreter                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		2
                      Software Packing                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Screen Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts1
                      Scheduled Task/Job                      		Login Hook1
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		NTDS57
                      System Information Discovery                      		Distributed Component Object Model1
                      Email Collection                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Masquerading                      		LSA Secrets1
                      Query Registry                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials271
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Process Injection                      		DCSync12
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                      System Network Configuration Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429092 Sample: file.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 49 ipinfo.io 2->49 51 db-ip.com 2->51 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 6 other signatures 2->65 8 MPGPH131.exe 55 2->8         started        12 file.exe 1 62 2->12         started        15 MPGPH131.exe 2->15         started        signatures3 process4 dnsIp5 39 C:\Users\user\...\rTXApvaKL9yw6N5oqHITZ9U.zip, Zip 8->39 dropped 67 Multi AV Scanner detection for dropped file 8->67 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 83 6 other signatures 8->83 17 WerFault.exe 8->17         started        19 WerFault.exe 8->19         started        29 3 other processes 8->29 53 147.45.47.93, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 12->53 55 ipinfo.io 34.117.186.192, 443, 49733, 49735 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->55 57 db-ip.com 104.26.4.15, 443, 49734, 49737 CLOUDFLARENETUS United States 12->57 41 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 12->41 dropped 43 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 12->43 dropped 45 C:\Users\user\...\HZqMYfpyMfdfHfQja15Vpq6.zip, Zip 12->45 dropped 73 Found evasive API chain (may stop execution after checking mutex) 12->73 75 Tries to steal Mail credentials (via file / registry access) 12->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 12->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 12->79 21 schtasks.exe 1 12->21         started        23 schtasks.exe 1 12->23         started        25 WerFault.exe 19 16 12->25         started        31 6 other processes 12->31 47 C:\Users\user\...\ax62Lo_zBXq90uwBqgwbr3X.zip, Zip 15->47 dropped 81 Tries to harvest and steal browser information (history, passwords, etc) 15->81 27 WerFault.exe 15->27         started        33 4 other processes 15->33 file6 signatures7 process8 process9 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                      C:\ProgramData\MPGPH131\MPGPH131.exe37%ReversingLabs
                      C:\ProgramData\MPGPH131\MPGPH131.exe44%VirustotalBrowse
                      C:\Users\user\AppData\Local\RageMP131\RageMP131.exe44%VirustotalBrowse
                      C:\Users\user\AppData\Local\RageMP131\RageMP131.exe37%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://193.233.132.167/cost/lenin.exe100%URL Reputationmalware
                      http://147.45.47.102:57893/hera/amadka.exe18%VirustotalBrowse
                      http://193.233.132.167/cost/go.exe25%VirustotalBrowse
                      http://193.233.132.167/cost/lenin.exeUser24%VirustotalBrowse
                      http://193.233.132.167/cost/go.exelater24%VirustotalBrowse
                      http://147.45.47.102:57893/hera/amadka.exe68.015%VirustotalBrowse
                      http://193.233.132.167/cost/go.exe/25%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ipinfo.io
                      		34.117.186.192
                      		truefalse
                        		high
                        db-ip.com
                        		104.26.4.15
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://ipinfo.io/widget/demo/81.181.57.52false
                            		high
                            https://db-ip.com/demo/home.php?s=81.181.57.52false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://db-ip.com/demo/home.php?s=81.181.57.52oMPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                  		high
                                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFD87fZN3R3jFeplaces.sqlite.9.drfalse
                                    		high
                                    https://db-ip.com/demo/home.php?s=81.181.57.52lMPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                        		high
                                        https://t.me/RiseProSUPPORTsMPGPH131.exe, 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://147.45.47.102:57893/hera/amadka.exefile.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          https://db-ip.com/file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ipinfo.io/widget/demo/81.181.57.52uMPGPH131.exe, 00000009.00000002.2305000838.0000000001C51000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://147.45.47.102:57893/hera/amadka.exe68.0MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                                		high
                                                https://db-ip.com/0MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000000.00000003.1863448564.0000000006793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213504678.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2102868244.00000000067A3000.00000004.00000020.00020000.00000000.sdmp, 8MhogtJMRILwHistory.0.dr, sANT26gQMwt7History.4.dr, fzOGBVhWIKhlHistory.4.dr, uUNSZzd9cNCaHistory.9.dr, Sbg9DSp7lstNHistory.0.dr, Z2XBcxuCaxhxHistory.9.drfalse
                                                    		high
                                                    https://t.me/RiseProSUPPORTaMPGPH131.exe, 00000004.00000002.2374176971.0000000006728000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://193.233.132.167/cost/go.exefile.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                      https://ipinfo.io/widget/demo/81.181.57.52bMPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://db-ip.com:443/demo/home.php?s=81.181.57.52dfile.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ipinfo.io:443/widget/demo/81.181.57.52file.exe, 00000000.00000002.2080428663.0000000001B8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ipinfo.io/widget/demo/81.181.57.52eyfile.exe, 00000000.00000002.2080428663.0000000001B5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install8MhogtJMRILwHistory.0.dr, sANT26gQMwt7History.4.dr, fzOGBVhWIKhlHistory.4.dr, uUNSZzd9cNCaHistory.9.dr, Sbg9DSp7lstNHistory.0.dr, Z2XBcxuCaxhxHistory.9.drfalse
                                                                		high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                                                  		high
                                                                  https://t.me/risepro_botisepro_botMPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://193.233.132.167/cost/go.exeIdserMPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://193.233.132.167/cost/lenin.exefile.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • URL Reputation: malware
                                                                      		unknown
                                                                      http://193.233.132.167/cost/lenin.exe81.57.52MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://db-ip.com:443/demo/home.php?s=81.181.57.52MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://193.233.132.167/cost/lenin.exeUserMPGPH131.exe, 00000009.00000002.2305000838.0000000001CF3000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                                                            		high
                                                                            https://ipinfo.io/M2_&MPGPH131.exe, 00000004.00000002.2371863766.0000000001B83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllfile.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                                                                  		high
                                                                                  http://147.45.47.102:57893/hera/amadka.exeffile.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://upx.sf.netAmcache.hve.8.drfalse
                                                                                      		high
                                                                                      https://t.me/RiseProSUPPORTfile.exe, 00000000.00000002.2080428663.0000000001B0E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081934645.0000000006720000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2374176971.0000000006728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C07000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmp, rTXApvaKL9yw6N5oqHITZ9U.zip.4.dr, HZqMYfpyMfdfHfQja15Vpq6.zip.0.dr, ax62Lo_zBXq90uwBqgwbr3X.zip.9.drfalse
                                                                                        		high
                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000000.00000003.1863448564.0000000006793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213504678.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2102868244.00000000067A3000.00000004.00000020.00020000.00000000.sdmp, 8MhogtJMRILwHistory.0.dr, sANT26gQMwt7History.4.dr, fzOGBVhWIKhlHistory.4.dr, uUNSZzd9cNCaHistory.9.dr, Sbg9DSp7lstNHistory.0.dr, Z2XBcxuCaxhxHistory.9.drfalse
                                                                                          		high
                                                                                          http://193.233.132.167/cost/go.exeomanialisherQMPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                                                                              		high
                                                                                              https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.2080428663.0000000001B8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.9.drfalse
                                                                                                  		high
                                                                                                  https://t.me/RiseProSUPPORT0oMPGPH131.exe, 00000004.00000002.2371863766.0000000001B1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                                                                                      		high
                                                                                                      https://t.me/risepro_botMPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2240485249.00000000067AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.0.dr, passwords.txt.4.drfalse
                                                                                                        		high
                                                                                                        http://193.233.132.167/cost/lenin.exe.exeData.MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://t.Sfile.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://db-ip.com/demo/home.php?s=81.181.57.52u_MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://ipinfo.io/MPGPH131.exe, 00000009.00000002.2305000838.0000000001C41000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2305000838.0000000001C7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://t.me/risepro_bothMPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://193.233.132.167/cost/go.exelaterfile.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                                                  https://www.maxmind.com/en/locate-my-ip-addressfile.exe, MPGPH131.exefalse
                                                                                                                    		high
                                                                                                                    https://ipinfo.io/=Rfile.exe, 00000000.00000002.2080428663.0000000001B5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.winimage.com/zLibDllfile.exe, file.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://193.233.132.167/cost/go.exeoin7FwmBKlOFGfile.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.9.drfalse
                                                                                                                            		high
                                                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples8MhogtJMRILwHistory.0.dr, sANT26gQMwt7History.4.dr, fzOGBVhWIKhlHistory.4.dr, uUNSZzd9cNCaHistory.9.dr, Sbg9DSp7lstNHistory.0.dr, Z2XBcxuCaxhxHistory.9.drfalse
                                                                                                                              		high
                                                                                                                              http://193.233.132.167/cost/lenin.exeerty.jaxxfile.exe, 00000000.00000002.2081934645.000000000676E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://t.me/risepro_botlaterTfile.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://193.233.132.167/cost/lenin.exeaniafile.exe, 00000000.00000002.2080428663.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1863969958.00000000067B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863132979.0000000006786000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865894751.00000000067B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213889732.0000000006799000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2215599958.000000000679E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.2213081705.0000000006777000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2101566111.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2103342082.00000000067C5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2100938277.0000000006784000.00000004.00000020.00020000.00000000.sdmp, w6NCEqkWwTcAWeb Data.0.dr, 8HRycHnVbK4iWeb Data.9.dr, 6GKpONOgQCQDWeb Data.4.dr, amggfY1X012lWeb Data.4.dr, s_jDytUw5zVDWeb Data.0.dr, JDpwntiCRWhZWeb Data.9.dr, rdNYuR1GWMoBWeb Data.9.dr, p5yNjy0gJTQpWeb Data.0.dr, njJisi0cnX_KWeb Data.4.drfalse
                                                                                                                                      		high
                                                                                                                                      https://t.me/RiseProSUPPORT~MPGPH131.exe, 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://193.233.132.167/cost/go.exe/MPGPH131.exe, 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                                                                        http://www.winimage.com/zLibDllDpRTpRfile.exe, 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://t.me/risepro_botriseproon1MPGPH131.exe, 00000004.00000002.2371863766.0000000001B96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high

                                                                                                                                            World Map of Contacted IPs

                                                                                                                                            • No. of IPs < 25%
                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                            • 75% < No. of IPs

                                                                                                                                            Public IPs

                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                            34.117.186.192
                                                                                                                                            		ipinfo.ioUnited States
                                                                                                                                            		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                            147.45.47.93
                                                                                                                                            		unknownRussian Federation
                                                                                                                                            		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                            104.26.4.15
                                                                                                                                            		db-ip.comUnited States
                                                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                                                            General Information

                                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                            Analysis ID:1429092
                                                                                                                                            Start date and time:2024-04-20 20:04:06 +02:00
                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 10m 34s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:full
                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                            Number of analysed new started processes analysed:42
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Sample name:file.exe
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@26/137@2/3
                                                                                                                                            EGA Information:
                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 98%
                                                                                                                                            • Number of executed functions: 85
                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                            Warnings

                                                                                                                                            • Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
                                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                            Simulations

                                                                                                                                            Behavior and APIs

                                                                                                                                            TimeTypeDescription
                                                                                                                                            19:04:58Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                            19:05:00Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                            19:05:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                            19:05:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                            IPs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • ipinfo.io/json
                                                                                                                                            SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • ipinfo.io/json
                                                                                                                                            Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                                                                                            • ipinfo.io/ip
                                                                                                                                            Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                            • ipinfo.io/
                                                                                                                                            Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                            • ipinfo.io/
                                                                                                                                            w.shGet hashmaliciousXmrigBrowse
                                                                                                                                            • /ip
                                                                                                                                            Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                            • ipinfo.io/ip
                                                                                                                                            Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                            • ipinfo.io/ip
                                                                                                                                            uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            • ipinfo.io/ip
                                                                                                                                            8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            • ipinfo.io/ip
                                                                                                                                            147.45.47.93qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                              s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                  SecuriteInfo.com.Win64.Evo-gen.32634.31069.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                                                                    UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                      tA6etkt3gb.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                                        file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                          dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                            Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                              file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                104.26.4.15#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exeGet hashmaliciousNemty, XmrigBrowse
                                                                                                                                                                • api.db-ip.com/v2/free/102.129.152.212/countryName

                                                                                                                                                                Domains

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                ipinfo.ioSenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                s.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                s.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                Sp#U251c#U0434ti.exeGet hashmaliciousDanaBotBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                s.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                db-ip.coms2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15

                                                                                                                                                                ASNs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttp://134.213.29.14:82/grep.x86_64Get hashmaliciousIPRoyal PawnsBrowse
                                                                                                                                                                • 34.117.121.53
                                                                                                                                                                jNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                74fa486WVX.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                https://diversityjobs.com/employer/company/1665/Worthington-Industries-IncGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.66.73.214
                                                                                                                                                                W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                s.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                s.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                FREE-NET-ASFREEnetEUjNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                • 193.233.132.175
                                                                                                                                                                74fa486WVX.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                • 193.233.132.234
                                                                                                                                                                qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                • 193.233.132.226
                                                                                                                                                                s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 147.45.47.93
                                                                                                                                                                SecuriteInfo.com.Win32.Evo-gen.29833.28353.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                • 193.233.132.56
                                                                                                                                                                SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                • 193.233.132.167
                                                                                                                                                                SecuriteInfo.com.Win64.Evo-gen.32634.31069.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                                                                                • 193.233.132.226
                                                                                                                                                                UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                • 193.233.132.167
                                                                                                                                                                tA6etkt3gb.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                                                • 193.233.132.167
                                                                                                                                                                Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 185.103.100.31
                                                                                                                                                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 172.67.177.98
                                                                                                                                                                2M1NS61GG8.exeGet hashmaliciousLummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                • 172.67.129.243
                                                                                                                                                                RrHuyQ4GzG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 104.21.86.106
                                                                                                                                                                https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly9yZXNvdXJjZS5pdGJ1c2luZXNzdG9kYXkuY29tL3doaXRlcGFwZXJzLzQ0ODAzLU1pY3Jvc29mdC1DUEwtUTItUE1HLUFCTS1HZXItMS1sYW5kaW5nLnBocD9lPWJvbnVjY2VsbGkuZGFyaW9AZGVtZS1ncm91cC5jb20=&r=14547470367&d=12037165&p=1&t=h&h=fb97401a549b1167a78f6002a0aef94dGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.67.74.40
                                                                                                                                                                jNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                • 104.21.4.208
                                                                                                                                                                74fa486WVX.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                • 104.21.76.57
                                                                                                                                                                SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                • 172.67.215.45
                                                                                                                                                                Receipt_7814002.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                • 104.26.13.205
                                                                                                                                                                Essay on Resolution of Korean Forced Labor Claims.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.26.15.182
                                                                                                                                                                VN24A02765.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                • 104.26.13.205

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                hta.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                2M1NS61GG8.exeGet hashmaliciousLummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                RrHuyQ4GzG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                SecuriteInfo.com.Win32.Malware-gen.6467.28521.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                SecuriteInfo.com.Win32.Malware-gen.6467.28521.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                FFE Order details - Cincy v41720.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                z47Danfe-Pedido17042024.msiGet hashmaliciousMicroClipBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 104.26.4.15

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):952832
                                                                                                                                                                Entropy (8bit):7.663785344043907
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:3IwoFmXsR3sf1viW1V6T/uKWZUtH6z1o:YuosfYWH6zuKd6z
                                                                                                                                                                MD5:A815D2D73A30DFCAB21000B326B29C13
                                                                                                                                                                SHA1:B9EC12B977B9EE6ECDCB74C7E718AD4018755625
                                                                                                                                                                SHA-256:9BA89A594158DCAD47219D1FFFC94D54CEAB08AA934DFAF80A9880FEFD3E3070
                                                                                                                                                                SHA-512:8F0CAD5A685E5D6093F2A7C13B1EA3B7F3F267D72D95185621DC197031711E7D6EEBA589FB08F96CCD69F5801FA7573E4818EE226E23AA7E460578D827A5FE97
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 37%
                                                                                                                                                                • Antivirus: Virustotal, Detection: 44%, Browse
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................W......h.Q.....i...................e-m......S....e-V....Rich...................PE..L...s.pd......................j.....w=............@..........................0k...../.......................................D|..x.....i..|..............................8....................q......xq..@............................................text............................... ..`.rdata...u.......v..................@..@.data.....h..........z..............@....rsrc....|....i..|..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26
                                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_236d6df2-efc0-4d22-90e1-905525e0d691\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9083528137827849
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:lqQNDuzQ8PP056r96E6jjlOZrYFzuiFAZ24IO8Nj6t:lqy+QK856rwjnzuiFAY4IO8e
                                                                                                                                                                MD5:C2D58F92DD1B0963B10A3EB2EFA60D46
                                                                                                                                                                SHA1:BF82BCBC9BBB042222735C22A07CC197EE2DC602
                                                                                                                                                                SHA-256:9D9658D0E7A9CB0A3692BF7CD1C91D331C0A97CC890A9A94719DAC0AFB083001
                                                                                                                                                                SHA-512:814398FE4E29AF2D15A48E1D5D9BD7DE32DB07DF4A31EA39A4B60D55A34CB02D5A7C56800FCA8D3F2325B06088E1585FFCA355D877272424738C9B79A6DB1CDA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.1.1.3.3.3.2.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.6.d.6.d.f.2.-.e.f.c.0.-.4.d.2.2.-.9.0.e.1.-.9.0.5.5.2.5.e.0.d.6.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.6.d.4.4.f.3.-.6.e.e.8.-.4.5.9.e.-.8.6.f.5.-.c.d.6.6.5.9.9.5.c.4.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.c.-.0.0.0.1.-.0.0.1.4.-.b.c.6.6.-.b.2.4.1.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_27e5690c-112c-4d22-9e99-8c6f0b14382c\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9486252450686662
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:4yDfNDuzV8PP056r96E6jjlOZrYKzuiFAZ24IO8Nj6t:4yDl+VK856rwjYzuiFAY4IO8e
                                                                                                                                                                MD5:6C30E1231E125E48C3FECBE03F948286
                                                                                                                                                                SHA1:3903FE806D7021463375540069AC1734A04D7650
                                                                                                                                                                SHA-256:DFBF8B8E18FBFF8B7B40FD16653E6D4FDFE9D2BF41D1ACFF6108F7F9F3AC4EE8
                                                                                                                                                                SHA-512:6B7F9354A1D0FECFFF1671B450DFF4BEDB282200C572D05D5B022AA3C25E226F623B34A9AC7074E9DDF8227CA445257F64DCC09C94014B648661519AEDA52BEA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.9.9.1.6.5.3.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.e.5.6.9.0.c.-.1.1.2.c.-.4.d.2.2.-.9.e.9.9.-.8.c.6.f.0.b.1.4.3.8.2.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.a.0.4.e.e.1.-.9.a.8.c.-.4.5.c.9.-.a.7.e.b.-.d.d.d.3.e.4.7.4.1.e.9.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.c.-.0.0.0.1.-.0.0.1.4.-.b.c.6.6.-.b.2.4.1.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_5bbc99b4-587d-40fe-ac59-0cbe63303745\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9016378017826701
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:goODuznZ8PP056r96E6jj3ZZrMCzuiFAZ24IO8Nj6t:gJ+ZK856rwjnzuiFAY4IO8e
                                                                                                                                                                MD5:14E0C1AF6EC2622D5F02899354B9E4B1
                                                                                                                                                                SHA1:4C487464196348BEB767549E2B35FE70729B5AA1
                                                                                                                                                                SHA-256:AE913AEE539E10CC5CC498E9A82D18323AC2173F6104AC44DEE7A68BB1BB8160
                                                                                                                                                                SHA-512:B196BCB56072F04A7719F4CCFD50665CF8A88875332BAFA9204060BB1D92800D53E949F952CB0513629A300543CBE4148F35E186A4BA0E1203521328CC864AD3
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.3.4.8.7.6.0.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.b.c.9.9.b.4.-.5.8.7.d.-.4.0.f.e.-.a.c.5.9.-.0.c.b.e.6.3.3.0.3.7.4.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.f.a.0.c.5.a.-.9.8.3.a.-.4.f.6.4.-.b.a.0.0.-.3.f.d.5.a.0.9.7.e.d.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.d.f.a.9.-.f.f.4.2.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_5efb3555-bb77-4635-b3c4-88d10f7fc557\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9419704580788043
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:uwODuzPZ8PP056r96E6jj3ZZrMbzuiFAZ24IO8Nj6t:uB+RK856rwjmzuiFAY4IO8e
                                                                                                                                                                MD5:0C008DBC6116A14D43BD7A07A0699E47
                                                                                                                                                                SHA1:29AA1F1F6016745B4B87B0634D67EDAD9689251E
                                                                                                                                                                SHA-256:0C52440C687C814495331072FE68C931A37FE056CABC6738F21DE85C68891B92
                                                                                                                                                                SHA-512:C5BAD63BBC25E24A877894EFCFA5BB458E73FFD826E5D9F97959B0CBFBAA2EFAEFAB569F46592A730FFB4C68224795219BB604ABA05E65585C71E8D5FEB98B0A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.1.0.1.6.5.5.9.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.f.b.3.5.5.5.-.b.b.7.7.-.4.6.3.5.-.b.3.c.4.-.8.8.d.1.0.f.7.f.c.5.5.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.0.2.d.0.d.d.-.b.5.5.c.-.4.9.6.d.-.b.e.a.4.-.8.7.c.3.8.c.6.0.9.e.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.d.f.a.9.-.f.f.4.2.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_65d98138-d915-4355-b808-11207aa2a205\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.941524841998161
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:JUODuzPZ8PP056r96E6jj3ZZrMbzuiFAZ24IO8Nj6t:JF+RK856rwjmzuiFAY4IO8e
                                                                                                                                                                MD5:D8D7A071E43AFE3A7E4BE969543FE55B
                                                                                                                                                                SHA1:8943FBDAE76B82274190C10FA1EF52396514FA46
                                                                                                                                                                SHA-256:A2781ED42CC79AE7F9754D99D915B6366838DB67786F2DE186D2E0593CCE24AF
                                                                                                                                                                SHA-512:12BD614CA319A4501250A3B73E16271554B733051BD647D4776CC1CD13946564B5D477E0D2DBCCDE7D8E7A376D8575548294035EB521A2AEB75A2A934E5A7DDB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.1.0.9.9.3.8.6.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.d.9.8.1.3.8.-.d.9.1.5.-.4.3.5.5.-.b.8.0.8.-.1.1.2.0.7.a.a.2.a.2.0.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.a.7.1.c.e.1.-.8.8.f.e.-.4.a.a.6.-.a.b.3.8.-.1.5.0.d.4.a.4.3.d.7.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.d.f.a.9.-.f.f.4.2.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_71a1c664-e693-463e-9310-d4cb42099473\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9287725445009142
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:Nbl2NDuzBY8PP056r96E6jjlOZrYCzuiFAZ24IO8Nj6t:Nblk+eK856rwjQzuiFAY4IO8e
                                                                                                                                                                MD5:A03FBD398374CF71607D2631BA01B811
                                                                                                                                                                SHA1:4DB2597B6AEF99364525F9CE486613AEFF409949
                                                                                                                                                                SHA-256:4A830B61D07F6723AC3A0B7073FD0C6FFF3C5C5954944DE263EC2C88618BAC31
                                                                                                                                                                SHA-512:17B8F58B723EF69BA17A15145FAB0D587EDE61E603D873B9476048F80776A859E6AC969A0755340A104CC14E4038A885D2F75FFBDFDEBDF5529232C514ABE927
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.8.0.9.1.0.0.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.a.1.c.6.6.4.-.e.6.9.3.-.4.6.3.e.-.9.3.1.0.-.d.4.c.b.4.2.0.9.9.4.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.9.9.0.2.a.1.-.5.6.9.e.-.4.4.f.8.-.a.6.d.8.-.4.3.f.1.5.d.1.b.f.a.7.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.c.-.0.0.0.1.-.0.0.1.4.-.b.c.6.6.-.b.2.4.1.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_7cf8ce8f-1aed-4201-8a63-0b00abb7edea\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9416254272087246
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:iyODuzSZ8PP056r96E6jj3ZZrMbzuiFAZ24IO8Nj6t:iz+kK856rwjmzuiFAY4IO8e
                                                                                                                                                                MD5:894CA1D6BE3D41351DA0EFDA1DB39FC3
                                                                                                                                                                SHA1:844CB579706C78B3771068E59C16577B9DE87F6F
                                                                                                                                                                SHA-256:D02519A5D3104A49DF5FEDBB1F9C6DAB27658DFF117C2DF3A016ACCAB312EE0F
                                                                                                                                                                SHA-512:5153AFD4EDB4DE3A02C85CD931355BCAD9E003EED61F86BBC7F1A00515EC0DB8A3056A61FE52448E19997F0C16CD431E378B93E46E954626FC4E82052C8918F6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.8.9.7.4.3.9.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.f.8.c.e.8.f.-.1.a.e.d.-.4.2.0.1.-.8.a.6.3.-.0.b.0.0.a.b.b.7.e.d.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.9.b.a.6.9.7.-.9.9.c.1.-.4.7.f.f.-.9.b.0.6.-.d.3.e.d.9.e.2.b.2.2.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.d.f.a.9.-.f.f.4.2.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_868d590d-f3fc-44f0-b341-e996dca8898b\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9483613402826472
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:s3NDuzS8PP056r96E6jjlOZrYKzuiFAZ24IO8Nj6tR:++SK856rwjYzuiFAY4IO8eR
                                                                                                                                                                MD5:FA7B657A309FA81B6308680EABFCBB20
                                                                                                                                                                SHA1:EC051E90B0D3940B138141B9CACD62F688B266EB
                                                                                                                                                                SHA-256:0578B3C16D4D2344482FD77F2B43769AFEADEDB16D7AC786BBFA7F672A58CCBC
                                                                                                                                                                SHA-512:4C29FD284B7124B591E711BE7ECC377148537FA5C058976951F952FB39923355313080D0C29F2F8A733179CCF7DE6DF798CF623D513C249B976053D22DFB2822
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.1.0.6.9.5.3.9.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.8.d.5.9.0.d.-.f.3.f.c.-.4.4.f.0.-.b.3.4.1.-.e.9.9.6.d.c.a.8.8.9.8.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.d.1.c.b.6.2.-.3.9.f.0.-.4.e.f.4.-.a.6.f.0.-.d.3.3.a.8.e.5.f.6.0.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.c.-.0.0.0.1.-.0.0.1.4.-.b.c.6.6.-.b.2.4.1.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_8e82ae91-098c-43c8-af98-78b98945d2fd\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9218842597270595
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:x4ODuzrZ8PP056r96E6jj3ZZrMQzuiFAZ24IO8Nj6t:v+VK856rwjNzuiFAY4IO8e
                                                                                                                                                                MD5:792CA43544142B5F59F58B2EF17BB85F
                                                                                                                                                                SHA1:DFAD3B97966BA37391457E139BBB7CB271004D90
                                                                                                                                                                SHA-256:55822D0A067D4B36688A38C7B3CB1FAC391DCC748DDBD3D1408DF55389F705D9
                                                                                                                                                                SHA-512:FCEB3A0E1224C20EE1A762DBFE3570E9F2C256B74B3D20C7334339AE7149B6AB34E2957EB37BF7630431EC232DAA5914D5C003A6A6216BE667580B1A1061530D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.8.1.9.6.7.7.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.8.2.a.e.9.1.-.0.9.8.c.-.4.3.c.8.-.a.f.9.8.-.7.8.b.9.8.9.4.5.d.2.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.6.0.1.2.a.b.-.9.7.c.b.-.4.c.1.a.-.a.c.c.1.-.f.9.d.a.1.7.5.5.8.e.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.d.f.a.9.-.f.f.4.2.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_76a8b624aa1c3f63e51b8c46f4549fe453f20_664b7b5e_9107bfeb-e283-447b-b7fc-1a197446dc21\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9486315009404476
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZVPNDuz18PP056r96E6jjlOZrYKzuiFAZ24IO8Nj6t:ZVV+1K856rwjYzuiFAY4IO8e
                                                                                                                                                                MD5:C7B5C0A5D0232BDCFFBF2784EEB5F986
                                                                                                                                                                SHA1:D6E102BC383AE770A6F06909F739D65761A8361D
                                                                                                                                                                SHA-256:18972E0C2A294385BEB77039A95661ADB24B14D9AC8E0E1DC7D711199BA21C08
                                                                                                                                                                SHA-512:2F41F7F65A952E007DD840327318807FCE8A82D4C40158FD5C4426E6C0790F53C2C97D86CDE83E031A539DE7B9A0CBE10464D1E68FAA4CA24D804DF9869DB24E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.8.9.8.4.0.4.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.0.7.b.f.e.b.-.e.2.8.3.-.4.4.7.b.-.b.7.f.c.-.1.a.1.9.7.4.4.6.d.c.2.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.e.1.9.d.7.a.-.e.4.5.e.-.4.5.9.b.-.a.4.9.7.-.0.0.f.5.0.a.2.6.3.b.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.c.-.0.0.0.1.-.0.0.1.4.-.b.c.6.6.-.b.2.4.1.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_26e483d4-fbd0-4cc6-b45d-6b9e29e77863\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9479126346944594
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:EC3dxvpP7P056rPI3jlOZrYKzuiFAZ24IO8kVB:jrpj856rIj4zuiFAY4IO8a
                                                                                                                                                                MD5:0CB964360E32231654471ABE9A560311
                                                                                                                                                                SHA1:FBE8F786E91742C4741EBA07C18CCDE5CDA577F8
                                                                                                                                                                SHA-256:068F83D3F089B14CCE759BCE1FAE6FA2027B5E85F562BE959268895D2AC253F5
                                                                                                                                                                SHA-512:F3C582A329E4D05109DE6C82051941314E6741000D76CD1C5B39BBBEF214BE99C33BE29A17173EAB88733D37F5999BDC3059C7A6EB2B6986A90CC0672ACFADCC
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.3.8.2.7.2.3.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.e.4.8.3.d.4.-.f.b.d.0.-.4.c.c.6.-.b.4.5.d.-.6.b.9.e.2.9.e.7.7.8.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.a.8.d.f.6.2.-.6.f.c.b.-.4.b.e.2.-.a.1.8.6.-.2.4.b.e.4.f.b.1.b.6.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.4.-.a.a.5.c.-.a.9.4.0.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_30d4bf65-0144-4d41-a1e5-2d1f034d6932\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9082570473798708
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:AYC3dxv1P7P056rPI3jlOZrY3zuiFAZ24IO8kVB:AHr1j856rIjVzuiFAY4IO8a
                                                                                                                                                                MD5:DF7F34E502EC27E2B35BF425E2C7328D
                                                                                                                                                                SHA1:EA16BBC8E8884810CC38588AD01DD5A5E45EE0BF
                                                                                                                                                                SHA-256:9B78DFD8319DB19F8FD6317B8EAFFD5FB7497BE84E100CE480EA074D3326B63A
                                                                                                                                                                SHA-512:1F73A6DFD01FBFBC9907A17273A5F7E31C1AADA8ED6A894217AE95FFD2810FDFB1C5ECF8C329D2FFA619340B951582BD6996A93BB825165BC4CDCE7A451A8A64
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.8.9.8.8.9.8.9.9.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.d.4.b.f.6.5.-.0.1.4.4.-.4.d.4.1.-.a.1.e.5.-.2.d.1.f.0.3.4.d.6.9.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.9.2.7.0.6.f.-.f.4.d.a.-.4.f.c.1.-.8.8.9.9.-.7.a.1.5.b.b.1.f.b.0.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.4.-.a.a.5.c.-.a.9.4.0.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_30f7c2e0-e953-4274-809a-130ac21e06ea\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):1.0220047215986188
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:vZC3dxvxP7P056rPI3jlOZrYTjzuiFAZ24IO8kVB:vcrxj856rIj9zuiFAY4IO8a
                                                                                                                                                                MD5:FCB643566D3A9CD52F83548945A00664
                                                                                                                                                                SHA1:FDBCCA91C1A4F3289D131CBDAE9E9D31A2A6C7FF
                                                                                                                                                                SHA-256:1F9599BE38C3759E0CBF948CDB5D02E4A6E95E7C37AC14EE39EC101F346D4BF7
                                                                                                                                                                SHA-512:3BC72BEC502DBB59FD372AE461A57FE1FFECBE603D785CE3ECBD3B2FB315995397100B6B33F856A3352BD1E32FFF7EC628A83CF6A8B21BB773489D4CECB61335
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.5.8.1.3.7.7.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.f.7.c.2.e.0.-.e.9.5.3.-.4.2.7.4.-.8.0.9.a.-.1.3.0.a.c.2.1.e.0.6.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.0.b.f.f.0.3.-.6.2.8.8.-.4.0.1.9.-.a.3.6.3.-.0.f.0.f.1.3.c.d.9.3.3.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.4.-.a.a.5.c.-.a.9.4.0.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_350cc484-f125-4e6a-a9b7-37b821553dcf\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9954592610527487
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:AC3dxvBP7P056rPI3jlOZrYTBzuiFAZ24IO8kVBw:PrBj856rIj/zuiFAY4IO8aw
                                                                                                                                                                MD5:87524515C3EFA3CFD540256CDBD9FFB5
                                                                                                                                                                SHA1:A748026F7C91CF947AC82961BFEB76982A3E7EFE
                                                                                                                                                                SHA-256:A4492CA56F9346C82886DE95D81FD96A05398194621743EC88FF19116DF32F0E
                                                                                                                                                                SHA-512:F9F066D341DC32798BABF133299C8B38C83533C81ADA8B78A11A900B7F5B058721F6C14315DE200E26AED5B70025D8417A4C7835EB8A99DB2666CAC571BA4EAE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.4.9.9.6.1.1.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.0.c.c.4.8.4.-.f.1.2.5.-.4.e.6.a.-.a.9.b.7.-.3.7.b.8.2.1.5.5.3.d.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.c.2.0.a.d.a.-.8.4.f.3.-.4.a.6.9.-.a.f.0.4.-.7.a.9.d.6.9.3.d.0.3.1.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.4.-.a.a.5.c.-.a.9.4.0.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_51c1b91c-177b-4c73-b33d-0ffa0a872ffd\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9485875259657537
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:XyC3dxvcP7P056rPI3jlOZrYKzuiFAZ24IO8kVB:Xprcj856rIj4zuiFAY4IO8a
                                                                                                                                                                MD5:26C7C3878214885F844FA4FBF24FA250
                                                                                                                                                                SHA1:83FA7745515E05BCCA6ECA685E30C471260219EF
                                                                                                                                                                SHA-256:39122C5F365606B639DC55ACCD0B760C679834D112C66908D72B61BFF4039304
                                                                                                                                                                SHA-512:6D731FCFF2AD9241885D33ED9B34B6DB69BEC1CD7008E4489AC56E02B2A8161776E4AED456753D1B9834B7A717329ED0618235BBC65908A3702A1A0A3F012D68
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.2.9.4.7.2.4.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.1.c.1.b.9.1.c.-.1.7.7.b.-.4.c.7.3.-.b.3.3.d.-.0.f.f.a.0.a.8.7.2.f.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.5.3.6.1.7.8.-.4.4.b.b.-.4.a.8.0.-.9.8.4.8.-.7.a.7.1.0.f.8.5.3.7.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.4.-.a.a.5.c.-.a.9.4.0.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_a77f59a8-8b59-4992-86c8-63a5f0627f3c\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9221151133073655
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:TC3dxv/P7P056rPI3jlOZrY9zuiFAZ24IO8kVB:er/j856rIjvzuiFAY4IO8a
                                                                                                                                                                MD5:31231EB7BCEC64461E2962CEE7D241B3
                                                                                                                                                                SHA1:F7165E911B9CDD3B2CE250866F285E5DDF860268
                                                                                                                                                                SHA-256:2E2835BA9620B21306D7F0E9C7D929044E0750B91D3E37B0064049363A974625
                                                                                                                                                                SHA-512:4A1E89161401A95F33392916EA546045BE4B65AFE8849CF76CF2402BF2F6EA286811D5822472E4DACA5B26FAC0A8E26D90CFD824B9DED673DC1D6C1CCB809B06
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.1.6.3.8.2.7.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.7.f.5.9.a.8.-.8.b.5.9.-.4.9.9.2.-.8.6.c.8.-.6.3.a.5.f.0.6.2.7.f.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.0.2.d.9.0.0.-.4.8.b.5.-.4.9.8.1.-.9.e.6.5.-.5.f.9.8.6.2.7.6.7.0.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.4.-.a.a.5.c.-.a.9.4.0.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_abb99b7dbfb2236439a53546d25fcd4b72b99ec0_b211229c_daed0f05-904b-4a99-8e36-6a836ebbd0ab\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9281864689477678
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:0C3dxvsP7P056rPI3jlOZrYPzuiFAZ24IO8kVB:zrsj856rIj9zuiFAY4IO8a
                                                                                                                                                                MD5:DBF01CD42B58D451DD0556073954BB47
                                                                                                                                                                SHA1:96A86FAD146FA4FB7E13CB6F9D15F55CC24E1790
                                                                                                                                                                SHA-256:8F2078E020256DC71D3484826CA91477EFE1138711A3B6025F6A58600F252C60
                                                                                                                                                                SHA-512:D52369E0DEAAB7BB0C5697E65B50C37EB5077507706EA8657EC97CEB2EFCCE4BC76466958670635C7E77CACCD6FB216B64FBC39AD9C04C5F6AB6403314DD413D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.0.9.9.0.2.2.7.0.4.5.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.e.d.0.f.0.5.-.9.0.4.b.-.4.a.9.9.-.8.e.3.6.-.6.a.8.3.6.e.b.b.d.0.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.1.6.9.d.a.8.-.d.6.5.e.-.4.8.9.2.-.8.b.4.1.-.b.c.6.5.f.2.c.9.2.b.c.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.4.-.a.a.5.c.-.a.9.4.0.4.d.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.b.9.e.c.1.2.b.9.7.7.b.9.e.e.6.e.c.d.c.b.7.4.c.7.e.7.1.8.a.d.4.0.1.8.7.5.5.6.2.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER134.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:11 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):92520
                                                                                                                                                                Entropy (8bit):2.251585395482886
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:MgDKUm4WRTvQH1M3Ism186MngFdGb72dZIZfAYxLorGuB2M8qqK9vAogd5MBCGb:NDHmxRTvQVjS6MneI2ddYxLo9oM+
                                                                                                                                                                MD5:CCF19523F4BA9B5B38676CFB1B070251
                                                                                                                                                                SHA1:61167AFEA3305C3973D17383A1B6D277CD3E0BF8
                                                                                                                                                                SHA-256:F79BC075003F8EE63839EEB6F69C4C10123BBBE8D2FDD69E6D024D30ADCB5B2F
                                                                                                                                                                SHA-512:BA13907A0503F340B937EF06E2337CD78F1268D679B799F5AF99D77A54D758BC00CAE183FD7236A2A8F44D34BC3ABEF212805662207B62F76608848B437E8E0F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f........................D...........<...........4....>..........`.......8...........T............)...?......................................................................................................eJ..............GenuineIntel............T.......$.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A0.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6404
                                                                                                                                                                Entropy (8bit):3.7211099350163033
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbmuE6rO5YvYnlFXiWqgaMOUO89bkxsfYMm:R6l7wVeJmuE6kYve9pBO89bkxsfYMm
                                                                                                                                                                MD5:4B188D94A259A5730B9D7C4F32DE17F5
                                                                                                                                                                SHA1:760EE5CE2E58847AE4F706945D1730658AF3F5D2
                                                                                                                                                                SHA-256:03ECCDB74D74EF4F5A5570B9E2D54A4B7EFC79BDFCDBD77806728ED5E299B64D
                                                                                                                                                                SHA-512:CEEC5BBFCD48E78AF852FB78AA42626CA27F56D8BEE01B91C5E7FAEDDA99EB02A59F98F15F47F01521B687B7B4B49BF512DB02FB067A01D5B736B52B2F81DFC6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DF.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.477671891429099
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYDYm8M4JLJFE+q8vhZTVgCTwd:uIjfYI7mm7VDJkKTTVgCTwd
                                                                                                                                                                MD5:D03F852D0EE1E66998A7B731403A8A33
                                                                                                                                                                SHA1:1997C7D23F4DA5C69BEB8A5A120356B9DBA94CAC
                                                                                                                                                                SHA-256:1169C767E8B821DD088BC403BE0296D69985988E6657534DEBDB4E0480369ABD
                                                                                                                                                                SHA-512:08FCA404A54506FFB97DF08AFE2A034E3419D3838538A0B405E1CCF637DE6C35895D12E2A4DFAADA8FD5034613C0177E46D844F1D4470615302BBD0AF5CB3782
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6406
                                                                                                                                                                Entropy (8bit):3.7206543248353454
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJvuY6S2XYve9pBT89btFsfrZPm:R6lXJR6S2XYWWtefY
                                                                                                                                                                MD5:F76FF88912DB3CE881162FB476A901E4
                                                                                                                                                                SHA1:D5E4D354F6D2A1AEBEBAFEE6B5EAE0CA8533D522
                                                                                                                                                                SHA-256:076842438FAD2830686AC65259DFB22479C769CF6ACB54BB41F4C2907D5BC793
                                                                                                                                                                SHA-512:0B557EC8C03D3F127BD506CBDFE1FB46FCDA66BD3B2DBE4FB5EA43D2ABFEB7130213A16551C06A69C938250296785CFB19BBF1E110FBF90F2846FEF02851119E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D7.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:04:59 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):57816
                                                                                                                                                                Entropy (8bit):2.235845580063549
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:Rjl/1PhjK1TvD2jMMOsIqYczfWAYxOoIAHNxzoGY:v9Pk1TvKMjXozpYxOoIM+
                                                                                                                                                                MD5:74103E10C3223772361FFB2564E828A3
                                                                                                                                                                SHA1:7CB97AEC93F1E27E07A42C5782F6788CA290E9BE
                                                                                                                                                                SHA-256:74D4D21D55C96BEF294E04B4CB7684397883534CC5A587283CBB01D81AB55363
                                                                                                                                                                SHA-512:925395CBBEAC2E847FFCD79458D4DA435441D609CB60A36C478E17A5E6B280E4C3BD95A91A2BC7571BC39C91096EAE5B74B86A077972BB1A11DE3D15B2F69EC5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f....................................$...l.......d....0..........`.......8...........T............!.........................|...............................................................................eJ..............GenuineIntel............T.............$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2C2.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8408
                                                                                                                                                                Entropy (8bit):3.69321730819331
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJtCh6O6Y9GSUe6gmf6S9pBt89bJ4sf3Dm:R6lXJm6O6YMSUe6gmfPYJrfq
                                                                                                                                                                MD5:FEF37187A4B4B7B3337D966CDD2219C3
                                                                                                                                                                SHA1:0659F0F54F98C330991737EA9795ECB878F1AD8B
                                                                                                                                                                SHA-256:F54C45C07750B73289DC19EBF615E4A2A5220D30F52B509C7898ADAA110EE1BF
                                                                                                                                                                SHA-512:87A4F56608CD3C5D9926C9C8C4B35C821BAF073F0E017236BF9C21BD9323CF68C46847421889335FE45BC9B3531DC7BAA4A6B160805B42C6E0E8E3F14F85B152
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2F2.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4692
                                                                                                                                                                Entropy (8bit):4.4537000000182925
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYJYm8M4JPJF3LP+q8vK7j8LCo3d:uIjfYI7mm7V5JnPKcALCo3d
                                                                                                                                                                MD5:6922EE4D4702309FBDF8EEA9A0E84AA7
                                                                                                                                                                SHA1:A650BA6F6DB0CBE30179DE0022DDE5E59EA6202D
                                                                                                                                                                SHA-256:4BEA38456094AB76538350577C45A449C15CFB79F123C03C2C8F60B38005FFEB
                                                                                                                                                                SHA-512:FB1ECA38B12E75C391FC6B6EBDDA10462AB74D3273DE53056E81B108E20023EF2EB063D825F08332A7CB336A6FB6F456C77ED1E7D3185D2A0A24810FA7B2D421
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA91.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:01 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):56560
                                                                                                                                                                Entropy (8bit):2.220330742748371
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:C+Wo/jb1TvSz2aOsCjCv9pVYxK8cMCWt+4MT/:m+jb1Tvc2aOeFYxK8csQ4O
                                                                                                                                                                MD5:0B9B118359E8542D4C25C65E4B3AC62E
                                                                                                                                                                SHA1:6F9F156F767F7402B160C11ABA4D7711A45EAEB9
                                                                                                                                                                SHA-256:0351BE1EF81E04E72E74AD3C2A22B2488C90B6A9A10181DFC88EE2BE09AAE09A
                                                                                                                                                                SHA-512:603715803B037E78EACC1A2C73A352176E58AB034E031DFE5AFE007D68AA3017C804BEB1A6EE82CC48B6454516C5649086718B4421957ACD09798B3B053CB579
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f........................(...........$................/..........`.......8...........T...............(...........$...........................................................................................eJ..............GenuineIntel............T.......|.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB1F.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6400
                                                                                                                                                                Entropy (8bit):3.719110798552588
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbvuA6q6YvYnlFXiWqgaMOUv89bFFsf3oXm:R6l7wVeJvuA6q6Yve9pBv89bFFsf3oXm
                                                                                                                                                                MD5:F71BFA080784D17FB8D9AC016EA5EC41
                                                                                                                                                                SHA1:34B0DC0A9E0B48019E9A38F16F70AE9B5E72404A
                                                                                                                                                                SHA-256:EB9F6D50E87E0B6D02C960ACBB0803FF445C658713771B832AF78F8462071542
                                                                                                                                                                SHA-512:C317FEAE90A5B0EDDE1C0C64BC462070BF1F96B5F2EB94456237E8C476D08AEF6F16D1038BE5EA4B4E36594F534554BEF8A7819C50729BD5F141AF6CF7F74289
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB3F.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.481068435075929
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VY0n5Ym8M4JLJFZ+q8vhUtTVgCTrd:uIjfYI7mm7VdnoJ5KOtTVgCTrd
                                                                                                                                                                MD5:64BB7BA1F58619285123E791BE9A2ABC
                                                                                                                                                                SHA1:D6C13ADDC262205AF8FBF2F7A93E24EB92A3257F
                                                                                                                                                                SHA-256:8E2483DEC1CACF5F57788919CB4C0A112A448B91E022CADB53A79CABCB34D663
                                                                                                                                                                SHA-512:E238947753633713A832978C306C9ADEAC25E21107F05C5F45790C03EE5B1D8164763EC01E14E6D5E9396B1A66CB94A617211FEE30349C34F9E5962B54F774D3
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC95.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:01 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):69400
                                                                                                                                                                Entropy (8bit):2.274028638536743
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:T0cgKv0qn1TvzWVnskZX/n9i6S3NZdWAYxOoInMdGRUH7yq:wc3v0qn1TvzKnb/nlYNZLYxOoI5oy
                                                                                                                                                                MD5:A31A6894E64EDA255CD47D389D62C730
                                                                                                                                                                SHA1:B34BEAC0F5C93EADD8596195A0527C6C7FC415E8
                                                                                                                                                                SHA-256:E3D38386AB414D1EEAB4723E673C7626D5BB03AC0A33308475E3AB0357E687AD
                                                                                                                                                                SHA-512:07A01CE641F59DEB20B0557DFD9A5874EC314CFD13B6010D86105628D4729016BE4F58CA4FC2F18851513308D5783A608AD33EC5409B985107915A30C2247C96
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f........................l...........<...t............4..........`.......8...........T............%..`.......................................................................................................eJ......4.......GenuineIntel............T.............$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD03.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8408
                                                                                                                                                                Entropy (8bit):3.6939755149969327
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJtCx6jI7Ye6Y9sSUF/gmf6S9pBp89bF4sf0lXm:R6lXJW6jIt6YWSUF/gmfPUFrfx
                                                                                                                                                                MD5:67714CB64DD6475B93D07DE8930E1496
                                                                                                                                                                SHA1:B624E03FE21FB84400CA4703D746C360128E4765
                                                                                                                                                                SHA-256:24C3A29652D2FD7C375A56B7F742C0D39B5541E35CE949EE40A22FCBE6519169
                                                                                                                                                                SHA-512:ED6F7442B1A380B68C1F7F0126C4CC8A0F21A7D24DADFAB5E8FF698904A266B1D3CEB3660A4BAAA24A1C28834DED3BADED5945A66234D4EAE2C41C7E2158A679
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD23.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4692
                                                                                                                                                                Entropy (8bit):4.45305112643054
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VY0JyYm8M4JPJFG+q8vK7j8LCo3d:uIjfYI7mm7VdJ7JqKcALCo3d
                                                                                                                                                                MD5:F640BBF3632BA0E8701EED34DED4C739
                                                                                                                                                                SHA1:0FD03832E1308F7CF10BA6A2B0D0E503D18D18C8
                                                                                                                                                                SHA-256:88B8CC1D18ED9E2757F206316FA57577E833226DCCB6550F0FBAB0319512812C
                                                                                                                                                                SHA-512:3E28A39C59AD666ADBD4B87E2C49ABD9933B1134E50DDC84DB93CE5BD75317F7D8E45C5B9A324F4901B34CD322945EC18AA5F544DA91C66C8BBE5BF7F4EDCBA2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF06.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:02 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):75652
                                                                                                                                                                Entropy (8bit):2.223155097410558
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:WvF1Lf31Tvlg5a1FknYwOgsAzCMjS3NZdWAYxOoIoM6IWCJLizHU:m9f31TvlgwnknygSgYNZLYxOoIFW
                                                                                                                                                                MD5:CA1591A80C5817B725E1B61E0AA2EA14
                                                                                                                                                                SHA1:3AF01D6EA3CB7ADED082CB3DFC1335EDA478F51D
                                                                                                                                                                SHA-256:CEC0DE28F37936C94A86CDC1FC216C63DD8417C3FDED3BC5E379C1BF9077D5B2
                                                                                                                                                                SHA-512:EA7CD341035DED0D5390EA3C98539C6EA1CF7D8DC70924B8F528C0CCB18256B30C159B6F10193565207739A64D69CD9393658E6BB2EFEBE975C1B9B756C9C595
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f............$...............8.......<...........T....8..........`.......8...........T............&..............L...........8...............................................................................eJ..............GenuineIntel............T.............$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF74.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8408
                                                                                                                                                                Entropy (8bit):3.6938110600620946
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJtCE6c6Y9KSUF/gmf6S9pBB89bu4sfs6m:R6lXJD6c6YwSUF/gmfPcurfQ
                                                                                                                                                                MD5:7A02D030333451DBCFDBFFBDCE4B60B6
                                                                                                                                                                SHA1:316FF2020C08F9EB51ED4B5BAD1DD8A47B03CF67
                                                                                                                                                                SHA-256:25B9A7F813F1FCE196770526F54697970B58B5F85B7EEA59CC4554B9C30C088D
                                                                                                                                                                SHA-512:5AB037DED380EBD3C6D8FAB46D82298135FB235341464D955C1DCD3EBF56A6BB17258EC3172121AB83562CFFEE1C530122FC236BA00AA7B6C55C4A5178871ED5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFA4.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4692
                                                                                                                                                                Entropy (8bit):4.452576771773431
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYmzYm8M4JPJFiKJ+q8vK7j8LCo3d:uIjfYI7mm7VSJeKJKcALCo3d
                                                                                                                                                                MD5:922DFFC9AF5F8B65B04F4BFCEF9D669F
                                                                                                                                                                SHA1:EF715D2D1434A0545174EF035F5F23CD4A8FD821
                                                                                                                                                                SHA-256:D21003565AA33616C07F076DB8290F7329F18A93DB6565C641F40623D28BC8B6
                                                                                                                                                                SHA-512:A7C6881D75BDAD62ABD838EFBC72011841B0A3ADA0BEC90F6743021653697A699C3572F2C434338010B5B2790EDC6788C460583B07268F3CA688F20307F94FC6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1A6.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:03 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):80466
                                                                                                                                                                Entropy (8bit):2.1383908112059933
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:irRtrEei1Tv+H8Imv0wnYJisF+uL6S3N5dWAYxOoIKM2ZV75p96P:S4ei1Tv+E8wnQiBYN5LYxOoIAhY
                                                                                                                                                                MD5:A395E387DEA5F293C728F3DA65FC0E80
                                                                                                                                                                SHA1:A434D27AA11030877F4A798B5BF122F6C52D8061
                                                                                                                                                                SHA-256:046E89DE60CBFD359A43F29E9615D4DFCBD338CB716C018C57BACB4E5693E9B6
                                                                                                                                                                SHA-512:CEC586087FB70D9FA5943CF3293C59E49A846150A628BAD97F15558484A51B32803FA15D0BB31C69B9010C71C47BFAC23735DE00631306159AC7EB0FB6C0E09F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f............T...............h.......<................<..........`.......8...........T............&..Z.......................................................................................................eJ......D ......GenuineIntel............T.............$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE281.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8410
                                                                                                                                                                Entropy (8bit):3.6963899327037
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJtCA6rT6Y9nSUBFDgmf6S9pBG89b34sf959m:R6lXJH6rT6YdSUBFDgmfPd3rf9K
                                                                                                                                                                MD5:DE2DF7C48FDD0B8695B7027D60F05768
                                                                                                                                                                SHA1:34F75AE5003E970D1583D0CD0D7E7BA88E183541
                                                                                                                                                                SHA-256:24513F2BBE0EAEE26464394B1E20F1E019018F264DAD4A3CAA83B231335AECED
                                                                                                                                                                SHA-512:8ED8FD64E2C86C7B082CF869227085374C70C4A0BF07D919BAA1C7AE2412142B8371C33766F2ACEE3AD13C446639CC10F5AE14ADF4207BD6F2FB1DF2C635C8CD
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2B1.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4692
                                                                                                                                                                Entropy (8bit):4.454607891336303
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VY9Ym8M4JPJFG+q8vK7j8LCo3d:uIjfYI7mm7VpJqKcALCo3d
                                                                                                                                                                MD5:002BE1B74A87866BDB3AC8952B4A663F
                                                                                                                                                                SHA1:D0CA438D9EA716F5057E43F9082A97037A4B4209
                                                                                                                                                                SHA-256:0DE1E7C737CA727128FB6CF007844023071FFBB56569EEC440046E4E62A82A66
                                                                                                                                                                SHA-512:8D50C2BCEC7D4E552BAA4983D531569D587A90CA0353971C32AA15D410A5A159A362BBA03F05147A4B9E8718AEF8F45FCD393B40AAC10E63679F67A844DEB86B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3B9.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:03 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):56184
                                                                                                                                                                Entropy (8bit):2.2273095130691476
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:JrqLLGPtRTvH5xj9OUsODZVNcgfAYxvo/APbTGk:pALKRTvHt5IYxvo8bTj
                                                                                                                                                                MD5:A994E9659D16BCAF1782EDE3968DF713
                                                                                                                                                                SHA1:7DE62F92AF927D2D495B6A7D6E19E88A763A10BA
                                                                                                                                                                SHA-256:73DBFE855CDD5DF55EDA585F9597F737D4BAD945F12620A7E5F72CDCB0E1176E
                                                                                                                                                                SHA-512:7E9B11C7D4641953156757F7C763F04527C41C96909B926BF723EB339A8FD8AEB721526071E6E2832076E83D77B3EC7F43A3E86934A3BEC26653505E7C438CD7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f....................................$...............&/..........`.......8...........T......................................................................................................................eJ......<.......GenuineIntel............T.......$.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4B4.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6402
                                                                                                                                                                Entropy (8bit):3.7222339894698346
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbmu06LLVYvYnlFXiWqgaMOUO89b3xsfNqi9m:R6l7wVeJmu06FYve9pBO89b3xsfNx9m
                                                                                                                                                                MD5:354F58839998AEEBCD8B0EB440A4D720
                                                                                                                                                                SHA1:BBCE607008647EEE735970A078E2880DD4863319
                                                                                                                                                                SHA-256:1BCC5950516F18627DE710FA1023A7C47CC99BE763FF80F6C979476FC2A51452
                                                                                                                                                                SHA-512:768C8D456909E13224C88ABCD80EE695184AF6E4379B26530078934C2746DD8B39D6574675419C93053A8C390E26369B5BAEACE6AB049CFD4C4082BFC59A93FE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4F3.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.478712793580578
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYfZYm8M4JLJFH+q8vhZTVgCTwd:uIjfYI7mm7VlJnKTTVgCTwd
                                                                                                                                                                MD5:2B70D08F4FD1D886D6949F43DF5CE19B
                                                                                                                                                                SHA1:0BE0024F64F90540CA6C589984D374C0269096BD
                                                                                                                                                                SHA-256:7C5603ECCF5927B29EC40DBB1A2388B6E48853B7370BB6A897CBFCED2DC823F3
                                                                                                                                                                SHA-512:C59A9892AB1B2E9C960EE5392F9720B019A35B308F0319E285734CA06E9703FD40315BAE5C0F62D701EDE3E639BDDDD75AFC6138EDA47541867C356DE69D647D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE511.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:03 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):94112
                                                                                                                                                                Entropy (8bit):2.253313280419728
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:FJwNbUR1Tvvo5+uhn1De57Y3uoIhAkPUsvN0:LabCIDh1DejP5C
                                                                                                                                                                MD5:108FA1DF8467BA8EADEBE08156362D8E
                                                                                                                                                                SHA1:680E3A39C35C71FCD653F972104E9CA77C9FB3D5
                                                                                                                                                                SHA-256:04171F40DF0BCFE24F05ED640909C1B912E5D863374BEA8725A0708C5446F0FB
                                                                                                                                                                SHA-512:7E631F455A5492F87F3A8623416459C9C088B59F15CF455B0ACD8DD9BB43D8086B16C02050E1B9DF063E4B087738256A7F0C16C422E902CC7B58E45CC3B17188
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f....................................<................?..........`.......8...........T............,...B......................................................................................................eJ......t ......GenuineIntel............T.............$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5DD.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8410
                                                                                                                                                                Entropy (8bit):3.6942431181890263
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJtCw6pB6Y9XSUzegmf6S9pBH89bY4sf7Im:R6lXJ36pB6YtSUzegmfPKYrfh
                                                                                                                                                                MD5:CA9755F14936D767CB54EFF64E23C68C
                                                                                                                                                                SHA1:D948FF59849092EC61C34EB61E97A67D4F2DAD1D
                                                                                                                                                                SHA-256:501F6093A488128CBA322A7EAE8BFFCCF4B01B4AAE2F3B5B13A0122420E0B165
                                                                                                                                                                SHA-512:7F5B7E515C721A909676EA2F978B3A08B53E9B3A617C5FC697341294B458DD512E718B871C46ED1D3A80D257547215FA62B3C296C2FC3F3C395D44CC83A96751
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5FD.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4692
                                                                                                                                                                Entropy (8bit):4.4531032237199195
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYFJYm8M4JPJFU+q8vK7j8LCo3d:uIjfYI7mm7VHJgKcALCo3d
                                                                                                                                                                MD5:87B70A542A4DE44621382E54CA150C44
                                                                                                                                                                SHA1:D603AD5CE0AE6AD0D28BD815E91E62312D1DE52E
                                                                                                                                                                SHA-256:93E8EE699C88A2EAA3329141E08217563E3342FBDD1373B0DA41BA5C784AB177
                                                                                                                                                                SHA-512:B66737A9D2EC44F3E3C562E9A6F3D169C96598BC349DB4451BF043302D7966DF67F9AC1770CC7D91EF1AC3FBA011BF03EA020FD1866D52E818453CF88B0E1267
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9A4.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:05 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):104908
                                                                                                                                                                Entropy (8bit):2.235039619678787
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:Zo9W0VsQ1TvIBtIBq9o9/BysMXwOGZb3Agd1n53mQBWkY3+oIxMqbiYh95TJgXtK:m/CQ1TviEq9O0RwRDdnmQ7Y3+oIZNqY
                                                                                                                                                                MD5:1C8CFDADA1D28C9AF0E0512082E331AD
                                                                                                                                                                SHA1:740A0954F05335D3F5B1DDD96B42AFC857E103A1
                                                                                                                                                                SHA-256:D48F57FC820102D9A7DA8A4565EB92B34571783FDB82264474413CE34E6BA28B
                                                                                                                                                                SHA-512:204C6DC0A874AE3005D59F36370DE41AFB5D32284D9A84ED0B2D849164C59F053E267133CFD6C449C4A5E24547C41ADAD944E643CF79C4C2959FCE6C487C2F68
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f....................................<.... ......4...ZF..........`.......8...........T...........`7..lb...........!...........#..............................................................................eJ.......#......GenuineIntel............T.............$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA42.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8410
                                                                                                                                                                Entropy (8bit):3.6945513886072043
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJtCA6r/6Y9zSU3Qgmf6S9pBH89bh4sfxLm:R6lXJ36r/6YZSU3QgmfPKhrfg
                                                                                                                                                                MD5:DDFA0A3AFE3F50E42FC2D6B5C5349383
                                                                                                                                                                SHA1:7E0A936F4B40218E603AD277B2DFED578615C22E
                                                                                                                                                                SHA-256:4EF099A87D29E15108DF06F57B1659014F8C17A8BDBA0EB4AF6F39D632E4127C
                                                                                                                                                                SHA-512:C2174B1C1176F1BAB244563BAD0820ABABEC5B347196269458B62F5B30930EE25C0C8F5A536985BE4BFF4F6248096D9B19239F6CE669AEAD4B92573903E154C2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA62.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4692
                                                                                                                                                                Entropy (8bit):4.45089327125271
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYOYm8M4JPJFe+q8vK7j8LCo3d:uIjfYI7mm7VyJqKcALCo3d
                                                                                                                                                                MD5:601EE8D7C693C7886CA562D77D131ABA
                                                                                                                                                                SHA1:981446A12B767E4610686DE162A47CC933EB5A3F
                                                                                                                                                                SHA-256:32A5808DD9BC5F0CF2E5164E1196192933564583D1CDEA10D93D7204F64915BF
                                                                                                                                                                SHA-512:8082A06136B7C34A0C463E30ED752F1B7BBAA47BF9E28E6F081A81F5F1E18137AB10DD738EA31B8439DA4EA18F80BC12A79F10AFA0158D580566DFCF8B33BAFF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERECD1.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:05 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):112674
                                                                                                                                                                Entropy (8bit):2.1460246049314256
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:eEB941Tv+pU4t9lpIsQRY3+oIz8rVZPKj4Vj:e0M2iw/pIsCCV5Kj4Vj
                                                                                                                                                                MD5:7B81CF9D517F6CFA09094469CDAFC4B1
                                                                                                                                                                SHA1:CE08ACA27D7B8641A7EAA4DA5C0EFCF55493EAC4
                                                                                                                                                                SHA-256:358AFC0E190DC033CB0C06F316CACFC3C0207D67C650320F574CFA1C2AD9235C
                                                                                                                                                                SHA-512:0A9759B7A20A522C01E7D368093886CA966B284967701E44609C7683F7422E84E310BF025C99CF016EDBF6772A8E56F0B6C74792F1EB1546D9789C664A181181
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f....................................<...."......T...tK..........`.......8...........T...........PG...p..........."...........$..............................................................................eJ......x%......GenuineIntel............T.............$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERED6E.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8410
                                                                                                                                                                Entropy (8bit):3.6924401158679707
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJtC16s9c6Y9qSU3Qgmf6S9pBa89bh4sf4RLm:R6lXJC6sW6YwSU3QgmfPRhrf4A
                                                                                                                                                                MD5:88DF513299994F252ACA869888B067F3
                                                                                                                                                                SHA1:87703A390DCA5EE0FA898C598281DFBDB199EDE9
                                                                                                                                                                SHA-256:B382B8E45CA1354AD4AEC4A1BC522AEAA255BD61638F006E603572DCAF4358FA
                                                                                                                                                                SHA-512:CAC18564C2FA862135C9E92BBC989899E25D43213C436E55A32399C656C2015F7BBA4B6640F380A7EFEAD3649C30F2CC0365ADEA204CFC4202384DFB47E5493B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDAE.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4692
                                                                                                                                                                Entropy (8bit):4.453390574107926
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYIYm8M4JPJFd+q8vK7j8LCo3d:uIjfYI7mm7VAJ5KcALCo3d
                                                                                                                                                                MD5:BD4DC9742D3D010527CC702A1383E8CC
                                                                                                                                                                SHA1:0B36243521D86997B840E41EE40E3341DDB98511
                                                                                                                                                                SHA-256:29D794F8ECE30BD19D7196CDE3FE4B6BFFAA250B591C0AE59173E09D1C396E0D
                                                                                                                                                                SHA-512:DEC5DD75433F40CDDAC04F9F56900D3B8D607B1B8514562FA59F9264475FFD40FFA84D3FFED99AD40F8425A561963B624F6E4F68FC577CFE469AD9F1D5936584
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5BA.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:08 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):68800
                                                                                                                                                                Entropy (8bit):2.285558441463831
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:JJSyzBQV1Tv/Xnns7yzbHeeouKrXpVYxK8cz7U9pUoK:bSQyV1Tv/XnnpzyeVKrvYxK8cqUp
                                                                                                                                                                MD5:9D98EFB15AA1E90A7200F8BF277182EE
                                                                                                                                                                SHA1:585E8900AAE4A31B6CB23A982482EC5A1FB35B0B
                                                                                                                                                                SHA-256:9CADA4B635E17480F58874780E507D1B3097E13E74AEAEEA94C6A7BD04371E8C
                                                                                                                                                                SHA-512:FBB09C872F8381BDD1EABDA3267EB60E2CD00FA921348A9A8332043FE16D68996BB3F1347F946BE28071F5ED1FA07DF5721DA805DDBF31CC985CF244AE9061BB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f........................l...........<...t.......$....4..........`.......8...........T...........($..........................................................................................................eJ......4.......GenuineIntel............T.......|.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF637.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:08 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):68444
                                                                                                                                                                Entropy (8bit):2.2912660114626417
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:CoZjQZCRTvgs6uCuGsAjsLv8ldihVzGAJZI+fAYxvoGdHA04:NBQMRTvYFTjcCMzGAJKYxvoMo
                                                                                                                                                                MD5:170EBA843DC1DCAA5166D167097487B4
                                                                                                                                                                SHA1:A096C8E618C2858DF3F8960EA5DFAAC128BABCE2
                                                                                                                                                                SHA-256:1B2D5AF7D7C245BE581986748556A66062B9BA2C826E40FA462E2277955AB657
                                                                                                                                                                SHA-512:1DBC63C9D5B8BCE9F02352C16CCC615A00C0CDF8EAC53D701254086C42FCDACAEF7A805DD7C4B4AED02CE112B07C4CB44A35AA31BE2893B7F3C3BF8DBCD507BD
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f....................................<...........T....4..........`.......8...........T............#..L...........D...........0...............................................................................eJ..............GenuineIntel............T.......$.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6A6.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6402
                                                                                                                                                                Entropy (8bit):3.721396299674726
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbvueY6sYvYnlFXiWqgaMOUG89bEFsfhgTOxsm:R6l7wVeJvuB6sYve9pBG89bEFsfhbxsm
                                                                                                                                                                MD5:487D4105E7F51F6272622DBA18552862
                                                                                                                                                                SHA1:80E2F4EFBDF37A0DC652082C9E2CF84863E9ECDA
                                                                                                                                                                SHA-256:58CEF4B06E0A1EB28FE40A2749794DFAA1D1197ABF599B9A0514E2037003FF3E
                                                                                                                                                                SHA-512:8BC1E13AB01BDC30E40722CDE2D29251A5801CECAE88B94D18E2BE064E1A207290793F2EFD47763D50631FDFCB5EB0E381453F895B90EC8E5C98321948031B84
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6D4.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6402
                                                                                                                                                                Entropy (8bit):3.722254634620534
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbmuub6A0YvYnlFXiWqgaMOUM89bExsfLysm:R6l7wVeJmuK6zYve9pBM89bExsfLysm
                                                                                                                                                                MD5:6AFF19C20327366135FA525CE39ECAE5
                                                                                                                                                                SHA1:BB1A5A1A0A44162711C150373BCB4862B0C4008A
                                                                                                                                                                SHA-256:057C0FDCE396D6E6A288C6D755ABA73F785564B20D2F037DE995D5ED4BCEDCBB
                                                                                                                                                                SHA-512:0EF0BBDEB49D5E23B1E98292558209259F5ADFAA08922D6E26C78F526E728996C7270EDC5D673049A64326F14F8CACF35D3CBD5FB1A5A142ADC9D01503E76584
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.478932770860301
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYuYm8M4JLJFo+q8vhUtTVgCTrd:uIjfYI7mm7V6JIKOtTVgCTrd
                                                                                                                                                                MD5:4B882532753BF13BAB28F6B03D91E388
                                                                                                                                                                SHA1:581E026ABC756C8C25393FB3C91A66FCEF7BDBC6
                                                                                                                                                                SHA-256:DDAC400C8116EC9247DFCD10EB4F365877F16D66886BAF53A88AA9B22F21D71D
                                                                                                                                                                SHA-512:E396AB6EE3DBCDB3FF7C40E05227A08769171C3426231B32C52C23F9F26C6DF8B7516AFF560691BFD8EB5DA61F2D044CCE7A9B57891ED6A36CDF59A3301D6346
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF704.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.480414570151488
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYFYm8M4JLJFCk+q8vhUtTVgCTrd:uIjfYI7mm7VxJikKOtTVgCTrd
                                                                                                                                                                MD5:F33D4A8660B66CA3794712DF7DB83344
                                                                                                                                                                SHA1:93383180E345A6B965F99F7B284FF3FFB1873E52
                                                                                                                                                                SHA-256:70E9BE876BFB9DE9D607E188471A6498F143157866669F276E1C98AD6DC7941C
                                                                                                                                                                SHA-512:D214DF872E806F23CAE2FA09747D3F416F1C8FCA289C516DE86AB410293D6CC52F3DFE1AB6AD01DE9C3E79EE3D26DC25A8FB6EC30527C4A2245B5F63F5148985
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF714.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.4784135750111735
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYC2Ym8M4JLJF8+q8vhZTVgCTwd:uIjfYI7mm7VT/JcKTTVgCTwd
                                                                                                                                                                MD5:C80B5F2E2A2CD6503B4A7326C4BEC95C
                                                                                                                                                                SHA1:9CE1725BB2FB70475FF90E730F4F1F999F7F64D8
                                                                                                                                                                SHA-256:520296612FE6E6BB8716FD35D8F3B373AAC6107A777A8734285F3F2AEBFC3F55
                                                                                                                                                                SHA-512:5EAF01E6BB88377F0BF06F1583054A06B433635599819C61249ADCE77BD475A25ED6614202346A274DDC4F5F65F21343E88EDDC37F45AB813975A58EB3EAB7A0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF935.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:09 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):79634
                                                                                                                                                                Entropy (8bit):2.1232749371721233
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:b4yXTPlW1Tv2hspylb3AtG8sAdz7NKrXpVYxy8ch/0rXtZgh:b9jPlW1TvKspu0o8HKrvYxy8cGbtZi
                                                                                                                                                                MD5:FAB3FDE2559DC5CCBE58951FEDAD16A2
                                                                                                                                                                SHA1:84CBB23FF86AC35FF024C8FF315067A1B4536DF0
                                                                                                                                                                SHA-256:79625F733678BBDBF8A3C221C5D65CD75F2E0236E91F4A65B6EDC66CF8608968
                                                                                                                                                                SHA-512:4271A480BAF86C02BB50902A76D4A99988E76B1199B1BA04C12B6A092E18C6C095129E5406C4C6F57075E5FCA54AFA0DBCDA4F634FB2E7F7E182FE9D34E582CF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f............T...............h.......<................<..........`.......8...........T............$..J...........T...........@...............................................................................eJ..............GenuineIntel............T.......|.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF964.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:09 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):79258
                                                                                                                                                                Entropy (8bit):2.130088694417233
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:BXSD6XJqFwRTvG20ShHglgZdibs1pFzLzGgJZAZfAYx3oy0+MSRU/7:B8UJqFwRTvG20ZlmASTzGgJVYx3o447
                                                                                                                                                                MD5:BED543A28AF27CC7F35048AB6CAE22EB
                                                                                                                                                                SHA1:4CC5750027CFA52FBD63D57DC34DCA1BAA4C6FB8
                                                                                                                                                                SHA-256:D39AA084C7E050F022115E5DF0CB04441890213062677C05BE97E994B748281C
                                                                                                                                                                SHA-512:1A9C4478B30FAD429E7C310F6F38DB92EFAD3A46FF54B016E31099F67E8A60A482EA8F31BD17F564C9C91BB6EC60EFE875408C7000B554187000CC6B3644D9C7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f............T...........D...h.......<................;..........`.......8...........T............#..........................................................................................................eJ......l.......GenuineIntel............T.......$.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFABC.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6404
                                                                                                                                                                Entropy (8bit):3.7208723859650434
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJvujX6BceYve9pB+89bNFsfdxvm:R6lXJYX6jYWFNefdk
                                                                                                                                                                MD5:E140C48FB99F1C892CAA87F727795383
                                                                                                                                                                SHA1:AE22F6EB4AFFA3BE2251E1EBB503FC37E06AEF3B
                                                                                                                                                                SHA-256:E4D9574F3102E057A2915A654F6EED641AD463D920A890618E0D1038E6CEC10E
                                                                                                                                                                SHA-512:85646C725C123668A1A15B521385D62921BC290E08A486E8E89657F83E646FE8A07F45A75514E435E90DBDB3535941BA6D6A1CC9F45C44CCE28C8F0D96EF9C21
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFADD.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.4782432635254334
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYWYm8M4JLJFl/i+q8vhUtTVgCTrd:uIjfYI7mm7VGJF/iKOtTVgCTrd
                                                                                                                                                                MD5:B0887E3885BCE317563BCBE1618E12FD
                                                                                                                                                                SHA1:5BFA4483F6FEBB84EEC03B950819D0C39847A0CA
                                                                                                                                                                SHA-256:0C961C0E73E57EDA50C6962A350A2AC9880FD4C4A4649598D7C079F0CB6048F6
                                                                                                                                                                SHA-512:84FD5C02782E3AB656AC0C864649BFA0C76FE3CB8E6244B71C5FD83822B17B2FC772A7266EC5BF28C7AA3CCA423E82B31B1EDEC893F2C3B6EAFE8BFD77F2DB4A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB1A.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6402
                                                                                                                                                                Entropy (8bit):3.720234916746293
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbmun6QnYvYnlFXiWqgaMOUM89bNxsfM7vm:R6l7wVeJmun6CYve9pBM89bNxsfwvm
                                                                                                                                                                MD5:39C63C79A0A0938530B2CD4CC40B5F74
                                                                                                                                                                SHA1:419786BDD096B4273406A5E4FEDC758D96CFBA0A
                                                                                                                                                                SHA-256:5A502519AE43498AD956C56513D13BF5D9128458F806F0E398104F5E70AD210B
                                                                                                                                                                SHA-512:3504DB98D2D79310BECEE460EDE88856B9C9F4499F03DCE9862BC3DB007A8EBA00B7CF65E5C0EE3F1FF9B3A0AC1569CCA514221007F404C47258BF650E5A82D0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB5A.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.480682268249986
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VYAYm8M4JLJFAnHlo+q8vhZTVgCTwd:uIjfYI7mm7VUJK+KTTVgCTwd
                                                                                                                                                                MD5:0F8C1FE553B7D105EBB072D04DC29F04
                                                                                                                                                                SHA1:5B34507F97966A306F675B4C7C8D9CD5BB301C50
                                                                                                                                                                SHA-256:3BE61C63671B76E59039B8244F4AF271C27BDD3D9870517BDBD83EEE11FAA8D2
                                                                                                                                                                SHA-512:C525841B9A68A72A44D3E7FBE058BF297D8DD898C1A367D6D32027D4DCB12B41A325369289ECB8F5BC06FA5307AD956068B650265A6D6D75B2A35A22126402F6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCDE.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:10 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):79210
                                                                                                                                                                Entropy (8bit):2.122784027703538
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:RryXTyL1TvNtrbRbaes0k0877NKrXpVYxK8c6k8ieIY47A:AjyL1TvrrdOeFYKrvYxK8c2ieW7A
                                                                                                                                                                MD5:79AA036EACEFF5BB727C78865CD515FB
                                                                                                                                                                SHA1:3E0E267BEF7C092A46A55A0336A9C2A8B22DAA56
                                                                                                                                                                SHA-256:E5D6AE792C4D22D401A30DD1F24118DF2154267300BD7F9E38162FB98E3EFF7F
                                                                                                                                                                SHA-512:202D3E346FF4BAE93772E417B5459923ADAE84146B6B75283BAF4984A8C0D0A6599A83C934122C27C7613B6D6CE7F31D3FF894223E39E27B2BA94247FB431A8C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f............T...............h.......<................<..........`.......8...........T............$..............T...........@...............................................................................eJ..............GenuineIntel............T.......|.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD6C.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6404
                                                                                                                                                                Entropy (8bit):3.7190486272296392
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbvuQ60tYvYnlFXiWqgaMOUB89btFsfBPm:R6l7wVeJvuQ60tYve9pBB89btFsfBPm
                                                                                                                                                                MD5:0CD1666F3003711C8DD3FD50811D6FB5
                                                                                                                                                                SHA1:BEDE74071B17C9648D3F87EE24459B9484ACFCB3
                                                                                                                                                                SHA-256:8D97AEC127A8FF3B024E624B281FAC0D45A6377C6D8985D83AE3CC2120AA8858
                                                                                                                                                                SHA-512:02A0A624BDE3FD866FE47908E9706F9984A2ADEAF33D7D3B16C50E78CBCF94D8B6F4693C1D7223E3BE45BF58918B3210D07EC6776AEF360ECB20F19333815236
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.8.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD8C.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.476737460633103
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VY/Ym8M4JLJFS+q8vhUtTVgCTrd:uIjfYI7mm7VLJyKOtTVgCTrd
                                                                                                                                                                MD5:E953B282E3672FA6104ED95F59394D77
                                                                                                                                                                SHA1:191AF51F956978E4B17E02AF0C460E5B032D4D44
                                                                                                                                                                SHA-256:0F45EA607B74A9BA3F12F147213A563D9370883C982056BDDABD0A31DDBD6A44
                                                                                                                                                                SHA-512:5B0A472BFD2E04370CC5F83886433A28AD9AE0E29092517429396601CD8194C022FE209A6CEBDBB63318E9028A5E4F48A1998EDDE5F41172DBC2587CA7EFBC08
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDD8.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:10 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):78834
                                                                                                                                                                Entropy (8bit):2.137444898290961
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:USD6X1ZSRTvLSpvYXXgRsUCdGIzLzGgJZAZfAYx3owzFvUqbaP:TU1ARTvLSpva2Q3zGgJVYx3oUMqWP
                                                                                                                                                                MD5:203870B34BFE41E6A9C87BEA271EF8ED
                                                                                                                                                                SHA1:C109C72339D0E70D46243FAEAE55A8A1E31BEFF4
                                                                                                                                                                SHA-256:2DA23001FB9D878BEBC971DBBC77B8B3092E6329D550E99E678A257CC864B1FF
                                                                                                                                                                SHA-512:C006CAC33DA594CDD7C6F9CE657E80C836FCA6EBB09F487863A1363BED3D1E4C79A20EC5D58DFF0D87760C96DFADB6F48B3BFF7690F312EAB631B76310AA9826
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f............T...........D...h.......<................;..........`.......8...........T............#..B.......................................................................................................eJ......l.......GenuineIntel............T.......$.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE95.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6402
                                                                                                                                                                Entropy (8bit):3.7238496735746494
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbmuk6ijjYvYnlFXiWqgaMOUt89btxsfGQPm:R6l7wVeJmuk6yYve9pBt89btxsf9Pm
                                                                                                                                                                MD5:9A612BFE25981026A9E5E4C46051E5DC
                                                                                                                                                                SHA1:2C1397C51A4D14DF85E8F498CF1BD10C29440AB7
                                                                                                                                                                SHA-256:CC5D4976B966BD39E28B473615E5CDC77B2C96DEE305E6F101868DB15A49B9EB
                                                                                                                                                                SHA-512:76BF6F2224AE305FB109BB20990E83F3DFDD39B7740180B9A31A389A2B58A5332651DD7D8AC10403DC930C07B46FEC2FD420A7145D2717A14DE249C43DA49C41
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEC5.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.479676117661733
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsKJg77aI9EXWpW8VY5Ym8M4JLJFIK+q8vhZTVgCTwd:uIjfYI7mm7VhJoKKTTVgCTwd
                                                                                                                                                                MD5:F8F529F016D99F094C4D56FD5EE5C0CE
                                                                                                                                                                SHA1:487800746FDD27C62848459DDA8661AA2696C70B
                                                                                                                                                                SHA-256:67314B42312DD0B53FB8BB572773235E184C494D9113694C7E5F1ABBDD656CFF
                                                                                                                                                                SHA-512:D99EC2696E89C7674C608A3664F2688B26FD400AD711D3D166EC48B44811B07D919537D5AAA83B853B5FCC52C8D40243755CA68F75C8D26D921379328499DB81
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288547" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFEC.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sat Apr 20 18:05:10 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):92896
                                                                                                                                                                Entropy (8bit):2.246041635005521
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:GFexGTKsP1TvG7aO97WUzMMsgfZEbt6QD2/XpVYxa8cqeeRBYLgJpzI23++KuLmu:vx8KsP1TvQ9pxiEa0vYxa8cK3Y0Jp
                                                                                                                                                                MD5:AC46DAEAAAA38BCA635334826E5511C1
                                                                                                                                                                SHA1:B9F90E0737CD58FC142182FFB17E55DFBE19BBE3
                                                                                                                                                                SHA-256:E15EB39076DC26BB5383E2135A1D54351495E9A217D2BB6314EBD6D67DF50CFF
                                                                                                                                                                SHA-512:5392DEC06005E1E0E09C8EA4A7EB830171EFC06A962273780547DD1E5CD501FE66F39318FC34C3FDE838AB45575DE390DECAB45A7E7475BAF6E21FDF49E2B0F1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... .........$f....................................<...H............?..........`.......8...........T............*..(@......................p...............................................................................eJ....... ......GenuineIntel............T.......|.....$f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):952832
                                                                                                                                                                Entropy (8bit):7.663785344043907
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:3IwoFmXsR3sf1viW1V6T/uKWZUtH6z1o:YuosfYWH6zuKd6z
                                                                                                                                                                MD5:A815D2D73A30DFCAB21000B326B29C13
                                                                                                                                                                SHA1:B9EC12B977B9EE6ECDCB74C7E718AD4018755625
                                                                                                                                                                SHA-256:9BA89A594158DCAD47219D1FFFC94D54CEAB08AA934DFAF80A9880FEFD3E3070
                                                                                                                                                                SHA-512:8F0CAD5A685E5D6093F2A7C13B1EA3B7F3F267D72D95185621DC197031711E7D6EEBA589FB08F96CCD69F5801FA7573E4818EE226E23AA7E460578D827A5FE97
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Virustotal, Detection: 44%, Browse
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 37%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................W......h.Q.....i...................e-m......S....e-V....Rich...................PE..L...s.pd......................j.....w=............@..........................0k...../.......................................D|..x.....i..|..............................8....................q......xq..@............................................text............................... ..`.rdata...u.......v..................@..@.data.....h..........z..............@....rsrc....|....i..|..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26
                                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\HZqMYfpyMfdfHfQja15Vpq6.zip

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):5601
                                                                                                                                                                Entropy (8bit):7.8974962445778685
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:1WGzqeAoMq+YK0KF8cAJiI2i+unpwSJH5Z2gqAgqlr1WKTS3KJ14k:ZqASpF8wFEp9t5QgcqlcKTS6J14k
                                                                                                                                                                MD5:6F65CE12654469D75AA3901797D3EB83
                                                                                                                                                                SHA1:2B4633A2218410C5B016CFDD39BA021D0477C68E
                                                                                                                                                                SHA-256:1EA731AA8876074047426D467164EE735E9962CD04084624BB8A026AF8DA099E
                                                                                                                                                                SHA-512:0AF9A483AB4DF91B341B383480486220B0B9E0531D5FC6BCF55B4D3C22122F412885E7966ADC1D36968A34DEE6709DCBCDBB47FC019D9BA60C2EB080C8727C61
                                                                                                                                                                Malicious:true
                                                                                                                                                                Yara Hits:
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\HZqMYfpyMfdfHfQja15Vpq6.zip, Author: Joe Security
                                                                                                                                                                Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobejdT_84zuiGXP\Cookies\Chrome_Default.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6085
                                                                                                                                                                Entropy (8bit):6.038274200863744
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobejdT_84zuiGXP\information.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6414
                                                                                                                                                                Entropy (8bit):5.306085065127627
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:x3c2shZRsBLcT4Aisph+9hcmzGMO6B2LfwNz007ANUbg3x:x3ctuBLvAtphWhcmzGMK/B
                                                                                                                                                                MD5:932D3735DEA54FAB51F01669F62617AE
                                                                                                                                                                SHA1:9A9788A5DBA8B6732136FD69A13BE2CE5B8B2A16
                                                                                                                                                                SHA-256:0606114DF3DBFFF17384089E9A53DF043D1F4C1ABADF7647499D9AA0E3CFD058
                                                                                                                                                                SHA-512:6D9C79FFD449C84FC05EB6D2973F474F577A82AA5C4737B69563C73652CE5F3B60568B531429E77BCFC6C1A7B14C0FAC896D0C057685907F405749034C7E67EA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Build: pivas..Version: 1.9....Date: Sat Apr 20 20:05:17 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 8c6034115eb0f9d8dd1b9d669a1c4d6a....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobejdT_84zuiGXP....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 910646 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/4/2024 20:5:17..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..svch

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobejdT_84zuiGXP\passwords.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4897
                                                                                                                                                                Entropy (8bit):2.518316437186352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobepjTpZimyl6qo\Cookies\Chrome_Default.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6085
                                                                                                                                                                Entropy (8bit):6.038274200863744
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobepjTpZimyl6qo\information.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6383
                                                                                                                                                                Entropy (8bit):5.30657485166248
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:x3c2/FZRsocT4Aisph+9hcB9GtB2LfwNz00uzANUbg3x:x3c4uovAtphWhcB9Gm9gB
                                                                                                                                                                MD5:17D2CB17F885FDF6A30685F1EA1DE3FB
                                                                                                                                                                SHA1:0408EE557FE915F5F419CB72504376079AA1E39F
                                                                                                                                                                SHA-256:53B88DEE7D9E35691BC0B1C423F9187AA7E7DBCBD3D0EFCD13FDFE8238D224D0
                                                                                                                                                                SHA-512:44D795257E5AEE647DA4BD4FB1621D9A15C0ACA0BB43337AE51449D3715EF0AF7C29BC9524FE215C3EA110EE744EC56A2368D1C796F9A727EB549ACB824FCDCA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Build: pivas..Version: 1.9....Date: Sat Apr 20 20:05:52 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 8c6034115eb0f9d8dd1b9d669a1c4d6a....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobepjTpZimyl6qo....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 910646 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/4/2024 20:5:52..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784].

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobepjTpZimyl6qo\passwords.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4897
                                                                                                                                                                Entropy (8bit):2.518316437186352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobezQtRch0ZmSou\Cookies\Chrome_Default.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6085
                                                                                                                                                                Entropy (8bit):6.038274200863744
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobezQtRch0ZmSou\information.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6327
                                                                                                                                                                Entropy (8bit):5.305820168098647
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:x3c2osZRslcT4Aisph+9hcBzGtB2LfwNz000ANUbg3x:x3cSulvAtphWhcBzGm+B
                                                                                                                                                                MD5:E76D5E824A2D5850CAAC4510FA9966BD
                                                                                                                                                                SHA1:CF8FD91CB7CD043E8C29D0FE3F0C833BE783FEF0
                                                                                                                                                                SHA-256:F9F267718D515837A071DD4732BD39A5F0E4BD1BCB3D796A0B4BE93FD93E5969
                                                                                                                                                                SHA-512:11BBDB4043392248819C4FB7432C2F3CDB0FE52D907664E965FD237053D9A872BF1BEF952A6B026335C5BB9452CEA1E30E6D8F5DC690478D66D9E8D47BA20E1A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Build: pivas..Version: 1.9....Date: Sat Apr 20 20:05:40 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 8c6034115eb0f9d8dd1b9d669a1c4d6a....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobezQtRch0ZmSou....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 910646 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/4/2024 20:5:40..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784].

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\adobezQtRch0ZmSou\passwords.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4897
                                                                                                                                                                Entropy (8bit):2.518316437186352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ax62Lo_zBXq90uwBqgwbr3X.zip

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5573
                                                                                                                                                                Entropy (8bit):7.895179952697701
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:1WGzqeAoMq+YK0KF8cAJiI2i+uiBwUbdXBp67fDygJndqsS3KJAhf:ZqASpF8wFnwMxp67fjJdqsS6JAl
                                                                                                                                                                MD5:68CAC5522C15B46D4A5A7B9E0A412DBE
                                                                                                                                                                SHA1:93EDA4D56BF44C46CBE9BEA43EB1E37327418A3E
                                                                                                                                                                SHA-256:6016039A9C9C5183FA6DFC28F642EBC7485B66364634CB277D76CC2BF03F5365
                                                                                                                                                                SHA-512:B38D67F4F0D165D464AB20CEB8C659FAEB739B9649EFD48F236CA113CF68A70040082DCDB8024B1864B640EC660DDAFF97F35128D2DA188E16092F0ADD02E41D
                                                                                                                                                                Malicious:true
                                                                                                                                                                Yara Hits:
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\ax62Lo_zBXq90uwBqgwbr3X.zip, Author: Joe Security
                                                                                                                                                                Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\1FcP9eUeV0_qWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\79XSsViDXoczHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\8MhogtJMRILwHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\IO6Zwb2pZcpALogin Data For Account

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\IXC06WTABbSzCookies

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\Sbg9DSp7lstNHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\W5ItwnbOEWbrLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\ZAfgfBvVuQKNWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\iTUZG7291Qb8Web Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\p5yNjy0gJTQpWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\s_jDytUw5zVDWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\thdijlfvXXi5History

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\trdFrTbEn6pPLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):49152
                                                                                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidijdT_84zuiGXP\w6NCEqkWwTcAWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\14vKYSMfhshSLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):49152
                                                                                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\6GKpONOgQCQDWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\7CSy0IxQh1VlHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\CEYAAajxdr9QLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\MBYfBCnDVQSSHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\amggfY1X012lWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\fzOGBVhWIKhlHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\gyqRvWXIZE5OWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\iaBWdi4Fnhz1Web Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\njJisi0cnX_KWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\rdVUsVkL4QbQWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\sANT26gQMwt7History

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\sWrnFSWiPcWWCookies

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidipjTpZimyl6qo\tTQUAdIiirY8Login Data For Account

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\1xsvu65yyJa4Login Data For Account

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\8HRycHnVbK4iWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\8ZJZxxoSigJTHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\Bu4fqjuvymtRLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\Gf8hzmQcfGHfWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\JDpwntiCRWhZWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\Lk65jVXnM3gHWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\TuqMWxaa7e_CCookies

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\YbzjBYrL0NXcHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\Z2XBcxuCaxhxHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\bPe6T3UEPwG2Login Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):49152
                                                                                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\rdNYuR1GWMoBWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\uUNSZzd9cNCaHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\heidizQtRch0ZmSou\zgOZJSvD4T6RWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\rTXApvaKL9yw6N5oqHITZ9U.zip

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5574
                                                                                                                                                                Entropy (8bit):7.90107412490964
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:NWGzqeAoMq+YK0KF8cAJiI2i+uv8ga+qMoeSjzobVMTYxha12J2FO4YS3KJFz:BqASpF8wF3ga8DotZ2Jw3YS6JFz
                                                                                                                                                                MD5:9EA8CCDAB65EA1279E8F9AFC64B834F8
                                                                                                                                                                SHA1:B2A7D5CC83FC2DD071CA81B87704539D9303771C
                                                                                                                                                                SHA-256:69B41DD8E1A3E7BE6388FE90CC546DB1DAE0A0B5313D4B5D0186C9991326978E
                                                                                                                                                                SHA-512:5D862A1AC63946B5A8575B5DFD32BE38633DF407F29F32E6B04829163DE3917B2501D1E3117946FBE01C7D915FB29FFD8F2ED255A8BBBF835E8C8B89C5025411
                                                                                                                                                                Malicious:true
                                                                                                                                                                Yara Hits:
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\rTXApvaKL9yw6N5oqHITZ9U.zip, Author: Joe Security
                                                                                                                                                                Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):13
                                                                                                                                                                Entropy (8bit):2.8731406795131336
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:LFPn:F
                                                                                                                                                                MD5:C531A007D40FE22B960BDA417324DF0F
                                                                                                                                                                SHA1:E3ADD71DD28C5FE53D0F0F4EFEF254E3E2D10F9C
                                                                                                                                                                SHA-256:9B45A51FFA2D964033D9660C1B5B903EE7CBB97F83D19D495DC84BC6770BB54B
                                                                                                                                                                SHA-512:8681AB4C812C0C82808AB527F65AF19FD238438427DF754D79ECFB18AE555562AD4BFC69B6AE916273C9C96BF19D50B7E2DCEF7D2C3835FE374A3CAC8AAAF6CF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:1713640710385

                                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1835008
                                                                                                                                                                Entropy (8bit):4.468177262588214
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6144:HIXfpi67eLPU9skLmb0b4aWSPKaJG8nAgejZMMhA2gX4WABl0uNYdwBCswSbf:oXD94aWlLZMM6YFH6+f
                                                                                                                                                                MD5:F05DF382EEC1658FB1F7228C657C351F
                                                                                                                                                                SHA1:C1666BED5DD35B588FF7FA2EFE8D1E8AE3D4749E
                                                                                                                                                                SHA-256:2CEC4715598C1D91D2AF23F3C7C472D8261C2EF11DBF3B81614773B253CF0E8A
                                                                                                                                                                SHA-512:AB04B029A8AF4DAECB70243A791718D034C6E54EB26DA6B65AFBBBBB4085FF2A7FC1F26586B77790B203B5275063DD64597376517C8C29B9C720B918E3C819D0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^..AM..................................................................................................................................................................................................................................................................................................................................................u........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Entropy (8bit):7.663785344043907
                                                                                                                                                                TrID:
                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                File name:file.exe
                                                                                                                                                                File size:952'832 bytes
                                                                                                                                                                MD5:a815d2d73a30dfcab21000b326b29c13
                                                                                                                                                                SHA1:b9ec12b977b9ee6ecdcb74c7e718ad4018755625
                                                                                                                                                                SHA256:9ba89a594158dcad47219d1fffc94d54ceab08aa934dfaf80a9880fefd3e3070
                                                                                                                                                                SHA512:8f0cad5a685e5d6093f2a7c13b1ea3b7f3f267d72d95185621dc197031711e7d6eeba589fb08f96ccd69f5801fa7573e4818ee226e23aa7e460578d827a5fe97
                                                                                                                                                                SSDEEP:24576:3IwoFmXsR3sf1viW1V6T/uKWZUtH6z1o:YuosfYWH6zuKd6z
                                                                                                                                                                TLSH:7A15E00372E1BC64E66607329FAE95EC772EF8324E16BB2B32046E1F14B51B1C627751
                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................W.......h.Q.....i.....................e-m.......S.....e-V.....Rich....................PE..L...s.pd...........

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:51214951454d510d

                                                                                                                                                                Static PE Info

                                                                                                                                                                General

                                                                                                                                                                Entrypoint:0x403d77
                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                Digitally signed:false
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                Time Stamp:0x6470A373 [Fri May 26 12:17:55 2023 UTC]
                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                OS Version Major:5
                                                                                                                                                                OS Version Minor:1
                                                                                                                                                                File Version Major:5
                                                                                                                                                                File Version Minor:1
                                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                                Subsystem Version Minor:1
                                                                                                                                                                Import Hash:deee2f3ec985195fc99175dfed532c7c

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                call 00007F980C928B68h
                                                                                                                                                                jmp 00007F980C921735h
                                                                                                                                                                push 00000014h
                                                                                                                                                                push 004177F0h
                                                                                                                                                                call 00007F980C925D58h
                                                                                                                                                                call 00007F980C928D39h
                                                                                                                                                                movzx esi, ax
                                                                                                                                                                push 00000002h
                                                                                                                                                                call 00007F980C928AFBh
                                                                                                                                                                pop ecx
                                                                                                                                                                mov eax, 00005A4Dh
                                                                                                                                                                cmp word ptr [00400000h], ax
                                                                                                                                                                je 00007F980C921736h
                                                                                                                                                                xor ebx, ebx
                                                                                                                                                                jmp 00007F980C921765h
                                                                                                                                                                mov eax, dword ptr [0040003Ch]
                                                                                                                                                                cmp dword ptr [eax+00400000h], 00004550h
                                                                                                                                                                jne 00007F980C92171Dh
                                                                                                                                                                mov ecx, 0000010Bh
                                                                                                                                                                cmp word ptr [eax+00400018h], cx
                                                                                                                                                                jne 00007F980C92170Fh
                                                                                                                                                                xor ebx, ebx
                                                                                                                                                                cmp dword ptr [eax+00400074h], 0Eh
                                                                                                                                                                jbe 00007F980C92173Bh
                                                                                                                                                                cmp dword ptr [eax+004000E8h], ebx
                                                                                                                                                                setne bl
                                                                                                                                                                mov dword ptr [ebp-1Ch], ebx
                                                                                                                                                                call 00007F980C92554Eh
                                                                                                                                                                test eax, eax
                                                                                                                                                                jne 00007F980C92173Ah
                                                                                                                                                                push 0000001Ch
                                                                                                                                                                call 00007F980C921811h
                                                                                                                                                                pop ecx
                                                                                                                                                                call 00007F980C924D10h
                                                                                                                                                                test eax, eax
                                                                                                                                                                jne 00007F980C92173Ah
                                                                                                                                                                push 00000010h
                                                                                                                                                                call 00007F980C921800h
                                                                                                                                                                pop ecx
                                                                                                                                                                call 00007F980C928B74h
                                                                                                                                                                and dword ptr [ebp-04h], 00000000h
                                                                                                                                                                call 00007F980C927BEDh
                                                                                                                                                                test eax, eax
                                                                                                                                                                jns 00007F980C92173Ah
                                                                                                                                                                push 0000001Bh
                                                                                                                                                                call 00007F980C9217E6h
                                                                                                                                                                pop ecx
                                                                                                                                                                call dword ptr [004110C8h]
                                                                                                                                                                mov dword ptr [01A9A2E0h], eax
                                                                                                                                                                call 00007F980C928B8Fh
                                                                                                                                                                mov dword ptr [004D222Ch], eax
                                                                                                                                                                call 00007F980C928532h
                                                                                                                                                                test eax, eax
                                                                                                                                                                jns 00007F980C92173Ah

                                                                                                                                                                Rich Headers

                                                                                                                                                                Programming Language:
                                                                                                                                                                • [ASM] VS2013 build 21005
                                                                                                                                                                • [ C ] VS2013 build 21005
                                                                                                                                                                • [C++] VS2013 build 21005
                                                                                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                • [RES] VS2013 build 21005
                                                                                                                                                                • [LNK] VS2013 UPD5 build 40629

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x17c440x78.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x169b0000x17c00.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x112100x38.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x171c00x18.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x171780x40.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x110000x19c.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x10000xfec50x1000086dff270419606a8c033d898bc5a5d10False0.6038818359375data6.709261086285926IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rdata0x110000x75d00x7600f93394e81ff6f547570554b6c945600dFalse0.3950278072033898data4.946788083409842IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .data0x190000x16812e40xb9400c94b71d46f354f377c3413be1393db0aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .rsrc0x169b0000x17c000x17c00b9c61ed5d555a298d5c017c8df29e781False0.3187088815789474data4.1399004439858045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                RT_CURSOR0x16adae00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                                                                                                                RT_CURSOR0x16ae9880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                                                                                                                RT_CURSOR0x16af2300x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                                                                                                                RT_CURSOR0x16af7c80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                                                                                                                                RT_CURSOR0x16af8f80xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                                                                                                                                RT_CURSOR0x16af9d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                                                                                                                                RT_CURSOR0x16b08780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                                                                                                                                RT_CURSOR0x16b11200x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                                                                                                                                RT_ICON0x169b8d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.41359447004608296
                                                                                                                                                                RT_ICON0x169bf980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.16524896265560166
                                                                                                                                                                RT_ICON0x169e5400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.2154255319148936
                                                                                                                                                                RT_ICON0x169e9d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.41359447004608296
                                                                                                                                                                RT_ICON0x169f0a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.16524896265560166
                                                                                                                                                                RT_ICON0x16a16480x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.2154255319148936
                                                                                                                                                                RT_ICON0x16a1ae00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.37100213219616207
                                                                                                                                                                RT_ICON0x16a29880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.45306859205776173
                                                                                                                                                                RT_ICON0x16a32300x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.4619815668202765
                                                                                                                                                                RT_ICON0x16a38f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.45664739884393063
                                                                                                                                                                RT_ICON0x16a3e600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.2691908713692946
                                                                                                                                                                RT_ICON0x16a64080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.3062851782363977
                                                                                                                                                                RT_ICON0x16a74b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.350177304964539
                                                                                                                                                                RT_ICON0x16a79800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.5674307036247335
                                                                                                                                                                RT_ICON0x16a88280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.5469314079422383
                                                                                                                                                                RT_ICON0x16a90d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.6105491329479769
                                                                                                                                                                RT_ICON0x16a96380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.46307053941908716
                                                                                                                                                                RT_ICON0x16abbe00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.4901500938086304
                                                                                                                                                                RT_ICON0x16acc880x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.49385245901639346
                                                                                                                                                                RT_ICON0x16ad6100x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.4530141843971631
                                                                                                                                                                RT_DIALOG0x16b18a80x52data0.8780487804878049
                                                                                                                                                                RT_STRING0x16b19000x3d2dataRomanianRomania0.4539877300613497
                                                                                                                                                                RT_STRING0x16b1cd80x32adataRomanianRomania0.47901234567901235
                                                                                                                                                                RT_STRING0x16b20080x1a8dataRomanianRomania0.49528301886792453
                                                                                                                                                                RT_STRING0x16b21b00x30adataRomanianRomania0.47429305912596403
                                                                                                                                                                RT_STRING0x16b24c00x534dataRomanianRomania0.44744744744744747
                                                                                                                                                                RT_STRING0x16b29f80x208dataRomanianRomania0.5038461538461538
                                                                                                                                                                RT_GROUP_CURSOR0x16af7980x30data0.9375
                                                                                                                                                                RT_GROUP_CURSOR0x16af9a80x22data1.0588235294117647
                                                                                                                                                                RT_GROUP_CURSOR0x16b16880x30data0.9375
                                                                                                                                                                RT_GROUP_ICON0x16ada780x68dataRomanianRomania0.7115384615384616
                                                                                                                                                                RT_GROUP_ICON0x169e9a80x30dataRomanianRomania0.9375
                                                                                                                                                                RT_GROUP_ICON0x16a79180x68dataRomanianRomania0.7115384615384616
                                                                                                                                                                RT_GROUP_ICON0x16a1ab00x30dataRomanianRomania1.0
                                                                                                                                                                RT_VERSION0x16b16b80x1ecdata0.5386178861788617

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                KERNEL32.dllLocalCompact, GetUserDefaultLCID, AddConsoleAliasW, CreateHardLinkA, GetTickCount, GetWindowsDirectoryA, EnumTimeFormatsW, FindResourceExA, GetVolumeInformationA, LoadLibraryW, ReadConsoleInputA, CopyFileW, WriteConsoleW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, GetLastError, SetLastError, GetProcAddress, GetLocaleInfoA, CreateTimerQueueTimer, SetStdHandle, SetFileAttributesA, WriteConsoleA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, RemoveDirectoryW, AddAtomA, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, AddConsoleAliasA, OutputDebugStringW, GetComputerNameA, FindFirstChangeNotificationW, GetSystemDefaultLangID, FlushFileBuffers, GetConsoleMode, HeapFree, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, HeapSize, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, HeapAlloc, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LoadLibraryExW, HeapReAlloc, ReadFile, SetFilePointerEx, LCMapStringW, GetConsoleCP, CreateFileW
                                                                                                                                                                USER32.dllGetMenuItemID
                                                                                                                                                                GDI32.dllGetCharacterPlacementW
                                                                                                                                                                ADVAPI32.dllDeregisterEventSource
                                                                                                                                                                WINHTTP.dllWinHttpConnect

                                                                                                                                                                Possible Origin

                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                RomanianRomania

                                                                                                                                                                Network Behavior

                                                                                                                                                                Snort IDS Alerts

                                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                04/20/24-20:05:38.687787TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.4147.45.47.93
                                                                                                                                                                04/20/24-20:05:02.409597TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949730147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:01.031788TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949730147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:05.549113TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973058709192.168.2.4147.45.47.93
                                                                                                                                                                04/20/24-20:05:58.481493TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974558709192.168.2.4147.45.47.93
                                                                                                                                                                04/20/24-20:05:00.821645TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973058709192.168.2.4147.45.47.93
                                                                                                                                                                04/20/24-20:05:05.669470TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949732147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:03.174322TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949731147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:08.957422TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949731147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:09.034376TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949732147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:54.187156TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974458709192.168.2.4147.45.47.93
                                                                                                                                                                04/20/24-20:05:24.937277TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949745147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:41.718793TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973258709192.168.2.4147.45.47.93
                                                                                                                                                                04/20/24-20:05:19.057028TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949744147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:25.800661TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949744147.45.47.93192.168.2.4
                                                                                                                                                                04/20/24-20:05:36.860964TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949745147.45.47.93192.168.2.4

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Apr 20, 2024 20:05:00.592822075 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:00.812136889 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:00.812546968 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:00.821645021 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:01.031788111 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:01.078185081 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:01.087111950 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:02.409596920 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:02.453140020 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:02.729912043 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:02.951994896 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:02.952207088 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:02.958648920 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:03.174321890 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:03.227992058 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:03.234409094 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:05.224961042 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:05.447334051 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:05.447448015 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:05.458527088 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:05.549113035 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:05.572334051 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:05.572387934 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:05.572460890 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:05.575635910 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:05.575653076 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:05.669470072 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:05.718667984 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:05.727941990 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:05.801635027 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:05.801696062 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:05.804970980 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:05.804977894 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:05.805393934 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:05.821764946 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.015539885 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:06.297142982 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:06.571551085 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.632688046 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:06.680119038 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.771306992 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.771509886 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.771554947 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:06.774422884 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:06.774446011 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.774457932 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:06.774462938 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.885721922 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:06.885749102 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.885907888 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:06.886132956 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:06.886143923 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.113073111 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.113118887 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:07.314233065 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:07.314259052 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.314737082 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.316426992 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:07.364113092 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.369251013 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.421808958 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:07.528328896 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.528420925 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.528589964 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:07.528635979 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:07.528650045 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.528660059 CEST49734443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:07.528664112 CEST44349734104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:07.529086113 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:07.790594101 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:08.781502008 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:08.919464111 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:08.953768969 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:08.957422018 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:09.000066996 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:09.034375906 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:09.078130960 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:09.227838039 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:10.544751883 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:10.558913946 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:10.593800068 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:10.594162941 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:10.609414101 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:10.635179996 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:10.687438011 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:10.868293047 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203247070 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203311920 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203353882 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203394890 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203437090 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203476906 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203517914 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203537941 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.203537941 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.203537941 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.203555107 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203593016 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203634977 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.203655958 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.203679085 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.213227987 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.328243017 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.422771931 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.422833920 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.422873020 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.422909021 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.422955990 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.423058033 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.423058033 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.487442970 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:12.759371042 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.837333918 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:12.890568972 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:13.061140060 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:13.109435081 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:13.156733036 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:13.431091070 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:13.856669903 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:13.937452078 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:14.160016060 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.250082016 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:14.515003920 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:14.624835968 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:14.701076031 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:14.701136112 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.701199055 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:14.702214956 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:14.702229977 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.774610043 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.786322117 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:14.802175045 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:14.802254915 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.802639961 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:14.803544044 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:14.803627014 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.899503946 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.918118000 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.918246984 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:14.919589043 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:14.919609070 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:14.919929981 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.020174980 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.020387888 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.021471977 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.021522999 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.021795034 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.031188011 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.056313992 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.125000000 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.559353113 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.604113102 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.691047907 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.691143990 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.691220999 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.691725969 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.691744089 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.691759109 CEST49735443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.691766024 CEST4434973534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.708950043 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:15.709029913 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.709136009 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:15.709630966 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:15.709661007 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.845273972 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.892199039 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.927862883 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.927978039 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:15.983365059 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.983438969 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.983683109 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.983829021 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.983872890 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:15.983908892 CEST49736443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:15.983922958 CEST4434973634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.009170055 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.009237051 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.009351969 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.009625912 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.009663105 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.226991892 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.227210999 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.228256941 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.228308916 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.228553057 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.232228994 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.276206017 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.554697990 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.554790974 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.554935932 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.555531025 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.555531025 CEST49739443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:16.555561066 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.555578947 CEST44349739104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:16.556015968 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:16.821800947 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:17.075553894 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:17.075633049 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:17.075968981 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:17.077853918 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:17.124157906 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:17.289472103 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:17.289557934 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:17.290051937 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:17.290052891 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:17.290199041 CEST49737443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:17.290242910 CEST44349737104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:17.290303946 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:17.556082010 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:18.559233904 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:18.605547905 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:18.610527039 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:18.618350029 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:18.672693968 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:18.837574005 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:18.837827921 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:18.845947981 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:18.899876118 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:18.946363926 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:19.057028055 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:19.118823051 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:19.234306097 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:21.622400999 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:21.672112942 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:21.946896076 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:22.188374043 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:22.356904030 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:22.391015053 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:22.462884903 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:22.665370941 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:24.289180040 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:24.289180040 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:24.492635012 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:24.509020090 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:24.509079933 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:24.509118080 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:24.509211063 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:24.715024948 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:24.715198040 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:24.720381021 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:24.775298119 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:24.937277079 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:24.993798018 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.117311954 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:25.800661087 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.843689919 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:25.922377110 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922437906 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922478914 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922517061 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922558069 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922596931 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922621965 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:25.922622919 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:25.922636986 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922678947 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922689915 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:25.922715902 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922755957 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:25.922784090 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:25.922813892 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.145004034 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.145070076 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.145109892 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.145148993 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.145191908 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.145374060 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.145374060 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.156248093 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.431113005 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562532902 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562592030 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562629938 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562643051 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.562669039 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562711954 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562724113 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.562752008 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562792063 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562810898 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.562830925 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562869072 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562877893 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.562908888 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.562952042 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.784920931 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.784986973 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.785027981 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.785034895 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.785068989 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.785110950 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:26.785120010 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.828066111 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:26.875025988 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:27.150058985 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.328183889 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:27.521495104 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.521588087 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.521670103 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.522532940 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.522567034 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.547245026 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.737788916 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.737849951 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.741353989 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.741362095 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.741610050 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.791208982 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.832195044 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.978679895 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.978775024 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.978981972 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.979300022 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.979314089 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.979376078 CEST49746443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:27.979381084 CEST4434974634.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.981129885 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:27.981230974 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:27.981364012 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:27.981796026 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:27.981832027 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.078227997 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:28.198338032 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.198437929 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:28.353018999 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.416518927 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:28.416563988 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.416899920 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.418101072 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:28.460196972 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.638519049 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.638590097 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.638644934 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:28.638894081 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:28.638943911 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.638978958 CEST49747443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:28.638995886 CEST44349747104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:28.639414072 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:28.899910927 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:36.806480885 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:36.859436989 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:36.860964060 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:36.906280041 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:36.935277939 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:36.953218937 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:37.228141069 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:37.729942083 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:37.776892900 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:37.781207085 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:37.828121901 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:37.828335047 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:38.087843895 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:38.590643883 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:38.640580893 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:38.687787056 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:38.808233023 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:38.808270931 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:38.808413982 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:38.809505939 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:38.809518099 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:38.962263107 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:39.025217056 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:39.025290966 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:39.027862072 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:39.027879953 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:39.028141975 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:39.078072071 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:39.356894970 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:39.359534025 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:39.368705988 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:39.421184063 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:39.607888937 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:39.618601084 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:39.656229973 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:39.687803984 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:39.938160896 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:39.957185030 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:39.962274075 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.004122019 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.091268063 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.091383934 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.091435909 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:40.093992949 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:40.094038010 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.094065905 CEST49755443192.168.2.434.117.186.192
                                                                                                                                                                Apr 20, 2024 20:05:40.094082117 CEST4434975534.117.186.192192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.134289980 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:40.134368896 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.134666920 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:40.135384083 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:40.135461092 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.212251902 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.357064009 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.357347012 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:40.358618021 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:40.358669996 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.359025002 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.363246918 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:40.404195070 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.706352949 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.706590891 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.706806898 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:40.906616926 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.906678915 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.906719923 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.906758070 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.906800032 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.906837940 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.906857967 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:40.906857967 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:40.906877041 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.906893969 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:40.906971931 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.907011986 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.907052994 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:40.907077074 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:40.907098055 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:41.126111031 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.126173973 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.126213074 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.126250982 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.126266956 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:41.126292944 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.126352072 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:41.218792915 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:41.234637976 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:41.235663891 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:41.235665083 CEST49756443192.168.2.4104.26.4.15
                                                                                                                                                                Apr 20, 2024 20:05:41.235726118 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.235760927 CEST44349756104.26.4.15192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.236116886 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:41.493942022 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.508902073 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:41.718792915 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:41.993412018 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:42.167068005 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:42.218704939 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:42.638851881 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:42.656477928 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:42.734570980 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:42.765707016 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:42.885303020 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:42.931155920 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:42.965229988 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.040242910 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.227734089 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.248991013 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.296715021 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.312458038 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.328217983 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.602905989 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.762845993 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.768868923 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.768940926 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.768981934 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.769013882 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.769018888 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.769057989 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.769083977 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.769095898 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.769135952 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.769172907 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.769186974 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.769218922 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.769238949 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.769263029 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.769315004 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.886292934 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.991425037 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.991488934 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.991528988 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.991569042 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.991595030 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:43.991614103 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:43.991667986 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:44.093735933 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:44.149909019 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:44.329695940 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:44.421825886 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:44.422189951 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:44.655086040 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:44.718692064 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:45.104053974 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:45.218703032 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:45.856800079 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:45.931400061 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:45.931607962 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:46.015686035 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:46.238287926 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:46.407896996 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:46.823947906 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:47.087510109 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:54.187155962 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:54.416903973 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:54.515624046 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:55.485889912 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:55.485963106 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:55.707427979 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:55.707488060 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:55.707504988 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:55.707632065 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:55.977864981 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:58.481492996 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:58.547014952 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:05:58.743550062 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:58.768567085 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:01.058022976 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:01.109337091 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:03.796230078 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:03.796622038 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:04.018802881 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:04.018831968 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:04.019002914 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:04.019117117 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:04.130776882 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:04.130834103 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:04.290529966 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:04.350023031 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:04.350080967 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:04.350119114 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:04.350209951 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:04.618261099 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:06.844000101 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:07.066221952 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:07.140851021 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:07.360308886 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:07.894715071 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:07.894886971 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:08.116686106 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:08.116708994 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:08.116777897 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:08.116893053 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:08.384418011 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:08.916395903 CEST5870949744147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:08.916457891 CEST4974458709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:09.400269032 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:09.400418997 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:09.665484905 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:10.906255960 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:11.128405094 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:11.135700941 CEST5870949745147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:11.135776997 CEST4974558709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:39.931180000 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:39.931246042 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:06:39.931432009 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                Apr 20, 2024 20:06:39.931478977 CEST4973158709192.168.2.4147.45.47.93

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Apr 20, 2024 20:05:05.461889029 CEST5011953192.168.2.41.1.1.1
                                                                                                                                                                Apr 20, 2024 20:05:05.567878962 CEST53501191.1.1.1192.168.2.4
                                                                                                                                                                Apr 20, 2024 20:05:06.776537895 CEST5246353192.168.2.41.1.1.1
                                                                                                                                                                Apr 20, 2024 20:05:06.884068966 CEST53524631.1.1.1192.168.2.4

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                Apr 20, 2024 20:05:05.461889029 CEST192.168.2.41.1.1.10x6658Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                                                                Apr 20, 2024 20:05:06.776537895 CEST192.168.2.41.1.1.10xfcc8Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                Apr 20, 2024 20:05:05.567878962 CEST1.1.1.1192.168.2.40x6658No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                                                                Apr 20, 2024 20:05:06.884068966 CEST1.1.1.1192.168.2.40xfcc8No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                                                                                                                                Apr 20, 2024 20:05:06.884068966 CEST1.1.1.1192.168.2.40xfcc8No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                                                                                                                                Apr 20, 2024 20:05:06.884068966 CEST1.1.1.1192.168.2.40xfcc8No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • https:
                                                                                                                                                                  • ipinfo.io
                                                                                                                                                                • db-ip.com

                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                0192.168.2.44973334.117.186.1924437448C:\Users\user\Desktop\file.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:06 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-20 18:05:06 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sat, 20 Apr 2024 18:05:06 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 6
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-20 18:05:06 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-20 18:05:06 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                1192.168.2.449734104.26.4.154437448C:\Users\user\Desktop\file.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:07 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-20 18:05:07 UTC654INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sat, 20 Apr 2024 18:05:07 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: AC471E7A:A9D4_93878F2E:0050_662403D3_9151A5E:4F34
                                                                                                                                                                x-iplb-instance: 59215
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QOkwGvh0Dwp22mp1xyYqnbCURXwOYrVyNzUtOu9r6XqnhNtGxIsvhNluI%2FFiID%2FI6ghsjsVBKjpBh6Kj8qz%2FdxcfJt7phDKvdyTxTqBOjKvHIPhpKCVsLXeUmg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 87770f89095753c7-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-20 18:05:07 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-20 18:05:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                2192.168.2.44973534.117.186.1924437548C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:15 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-20 18:05:15 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sat, 20 Apr 2024 18:05:15 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-20 18:05:15 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-20 18:05:15 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                3192.168.2.44973634.117.186.1924437716C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:15 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-20 18:05:15 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sat, 20 Apr 2024 18:05:15 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 4
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-20 18:05:15 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-20 18:05:15 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                4192.168.2.449739104.26.4.154437716C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:16 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-20 18:05:16 UTC648INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sat, 20 Apr 2024 18:05:16 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: AC454655:40C6_93878F2E:0050_662403DC_912A5F7:7B63
                                                                                                                                                                x-iplb-instance: 59128
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Z7RkVvFmJbxTrn8V1Xaxss00ihDEudugiIPhX0Cxwr3QBuRGRvN9snjExgXPKMUFFwFqgzZpvEVl2rCNyNmzlo4scFCAPHy5BUHITznSubcM3eIqOUpDwu6AA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 87770fc1ab36458e-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-20 18:05:16 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-20 18:05:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                5192.168.2.449737104.26.4.154437548C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:17 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-20 18:05:17 UTC650INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sat, 20 Apr 2024 18:05:17 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: AC471635:474A_93878F2E:0050_662403DD_9151B27:4F34
                                                                                                                                                                x-iplb-instance: 59215
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBDRKwxKiUMhpvzyxIEKdtGhOOjh8PbN3Wl6Vf2OSgI7Guv0XEKIIqDig3AmmHP19s13cekwbF7Hn5C1nJ3mn6Dhx2OXlrPDh4wR3pccr2QYWdhdect%2BlAwmfw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 87770fc61ef8b0bd-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-20 18:05:17 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-20 18:05:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                6192.168.2.44974634.117.186.192443
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:27 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-20 18:05:27 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sat, 20 Apr 2024 18:05:27 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 3
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-20 18:05:27 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-20 18:05:27 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                7192.168.2.449747104.26.4.15443
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:28 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-20 18:05:28 UTC652INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sat, 20 Apr 2024 18:05:28 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: AC47162E:98E2_93878F2E:0050_662403E8_9151C23:4F34
                                                                                                                                                                x-iplb-instance: 59215
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Au7KmrDDLd2fWJe0YBM9q7k42WGAGN7q7AKNAyQb0Pq3H85rDBrnvUJhwd55NYyx%2BMnv%2FqHoWnuonL8RlSR3xyQ9lthdHyyCtPpfCdjkcrpoJr6PbgMvngYJvQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8777100cfeb9b066-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-20 18:05:28 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-20 18:05:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                8192.168.2.44975534.117.186.192443
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:39 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-20 18:05:40 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sat, 20 Apr 2024 18:05:40 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-20 18:05:40 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-20 18:05:40 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                9192.168.2.449756104.26.4.15443
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-20 18:05:40 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-20 18:05:40 UTC654INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sat, 20 Apr 2024 18:05:40 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: AC471ED6:D8D2_93878F2E:0050_662403F4_912A7EB:7B63
                                                                                                                                                                x-iplb-instance: 59128
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vVYTfb6LYeLEDxWNuwFDt%2BT4azn7KIelNYLsZm8V2rQxsFZw8VsY%2FLpQe0Vh0T6%2BuMpm66S556yI7jAjoJweCqixSWcytCS0ObDNqZN3DO1bfbSR4Gygb1mmJQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 877710587e41add2-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-20 18:05:40 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-20 18:05:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Statistics

                                                                                                                                                                CPU Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Memory Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                General

                                                                                                                                                                Target ID:0
                                                                                                                                                                Start time:20:04:56
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:952'832 bytes
                                                                                                                                                                MD5 hash:A815D2D73A30DFCAB21000B326B29C13
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2081219970.000000000370D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2081934645.0000000006720000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2081435300.0000000003890000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1666330206.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:1
                                                                                                                                                                Start time:20:04:58
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                Imagebase:0x950000
                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:2
                                                                                                                                                                Start time:20:04:58
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:3
                                                                                                                                                                Start time:20:04:58
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                Imagebase:0x950000
                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:4
                                                                                                                                                                Start time:20:04:58
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:952'832 bytes
                                                                                                                                                                MD5 hash:A815D2D73A30DFCAB21000B326B29C13
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000004.00000002.2374176971.0000000006728000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000004.00000002.2371863766.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2373416291.0000000003707000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000004.00000003.1684180987.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000004.00000002.2370794973.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2373632178.00000000038E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                • Detection: 37%, ReversingLabs
                                                                                                                                                                • Detection: 44%, Virustotal, Browse
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:5
                                                                                                                                                                Start time:20:04:58
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:8
                                                                                                                                                                Start time:20:04:58
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 848
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:9
                                                                                                                                                                Start time:20:05:00
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:952'832 bytes
                                                                                                                                                                MD5 hash:A815D2D73A30DFCAB21000B326B29C13
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2305457236.00000000035A1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2304201006.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2305705773.0000000003830000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2306103257.0000000006730000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2305000838.0000000001C95000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.1705537281.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:11
                                                                                                                                                                Start time:20:05:01
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 808
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:13
                                                                                                                                                                Start time:20:05:01
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 960
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:15
                                                                                                                                                                Start time:20:05:02
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 972
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:17
                                                                                                                                                                Start time:20:05:02
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 976
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:19
                                                                                                                                                                Start time:20:05:03
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 776
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:21
                                                                                                                                                                Start time:20:05:03
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 976
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:23
                                                                                                                                                                Start time:20:05:04
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1396
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:25
                                                                                                                                                                Start time:20:05:05
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 996
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:28
                                                                                                                                                                Start time:20:05:07
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 920
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:29
                                                                                                                                                                Start time:20:05:08
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 888
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:32
                                                                                                                                                                Start time:20:05:08
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 908
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:33
                                                                                                                                                                Start time:20:05:08
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 884
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:35
                                                                                                                                                                Start time:20:05:09
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 936
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:37
                                                                                                                                                                Start time:20:05:09
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 900
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:39
                                                                                                                                                                Start time:20:05:10
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 936
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:41
                                                                                                                                                                Start time:20:05:10
                                                                                                                                                                Start date:20/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 908
                                                                                                                                                                Imagebase:0x960000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                Disassembly

                                                                                                                                                                Reset < >

                                                                                                                                                                  Execution Graph

                                                                                                                                                                  Execution Coverage:26.1%
                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                  Signature Coverage:42.4%
                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                  Total number of Limit Nodes:118
                                                                                                                                                                  execution_graph 46665 4ec94e 46668 4ec782 46665->46668 46670 4ec7af 46668->46670 46676 4ec7c0 46668->46676 46670->46676 46688 4ec863 GetModuleHandleExW 46670->46688 46671 4ec7f8 46672 4ec7fe 46671->46672 46681 4ec819 46671->46681 46677 4ec613 46676->46677 46678 4ec61f 46677->46678 46694 4ec69a 46678->46694 46680 4ec636 46680->46671 46713 4ec84a 46681->46713 46683 4ec823 46684 4ec837 46683->46684 46685 4ec827 GetCurrentProcess TerminateProcess 46683->46685 46686 4ec863 3 API calls 46684->46686 46685->46684 46687 4ec83f ExitProcess 46686->46687 46689 4ec8a2 GetProcAddress 46688->46689 46690 4ec8c3 46688->46690 46689->46690 46693 4ec8b6 46689->46693 46691 4ec8c9 FreeLibrary 46690->46691 46692 4ec8d2 46690->46692 46691->46692 46692->46676 46693->46690 46695 4ec6a6 46694->46695 46697 4ec70a 46695->46697 46698 4ef889 __EH_prolog3 46695->46698 46697->46680 46701 4ef5e1 46698->46701 46700 4ef8bc 46700->46697 46702 4ef5ed 46701->46702 46705 4ef799 46702->46705 46704 4ef608 46704->46700 46706 4ef7b8 46705->46706 46707 4ef7b0 46705->46707 46706->46707 46709 4f4253 46706->46709 46707->46704 46710 4f425e RtlFreeHeap 46709->46710 46712 4f4280 46709->46712 46711 4f4273 GetLastError 46710->46711 46710->46712 46711->46712 46712->46707 46716 4f83d6 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 46713->46716 46715 4ec84f 46715->46683 46716->46715 46826 4a5d4f 46827 4a5d60 46826->46827 46829 4a15c6 46826->46829 46827->46829 46830 499a00 46827->46830 46831 499a14 46830->46831 46832 499a27 46831->46832 46833 499a7e 46831->46833 46834 499b54 46831->46834 46832->46829 46835 499a83 46833->46835 46839 499ad0 46833->46839 46834->46832 46836 499380 6 API calls 46834->46836 46837 4991c0 6 API calls 46835->46837 46836->46832 46838 499ab0 46837->46838 46838->46832 46840 499380 6 API calls 46838->46840 46839->46832 46842 499a00 6 API calls 46839->46842 46841 499abf 46840->46841 46841->46829 46843 499b3a 46842->46843 46843->46829 46844 4a504c 46845 4a5095 46844->46845 46846 4a506c 46844->46846 46848 499540 46846->46848 46849 49955a 46848->46849 46850 499230 6 API calls 46849->46850 46851 49959f 46849->46851 46852 499592 46850->46852 46851->46845 46852->46851 46853 4982c0 6 API calls 46852->46853 46853->46852 47410 422852 27 API calls Concurrency::cancel_current_task 50785 43b65d 50787 43b663 50785->50787 50799 439c64 50785->50799 50786 43b64a lstrlenA 50786->50785 50788 439cfe GetPrivateProfileStringA 50788->50799 50789 4de42b Concurrency::cancel_current_task RaiseException 50790 43b734 50789->50790 50791 4655d0 ___std_exception_copy ___std_exception_copy RaiseException 50791->50799 50792 4e62d8 22 API calls 50792->50799 50793 4673c0 3 API calls 50793->50799 50794 43b6a3 50794->50789 50795 46a190 RaiseException 50795->50799 50796 4c3160 10 API calls 50796->50799 50797 462610 RaiseException 50797->50799 50798 4144e0 16 API calls 50798->50799 50799->50786 50799->50788 50799->50791 50799->50792 50799->50793 50799->50794 50799->50795 50799->50796 50799->50797 50799->50798 50800 4628f0 3 API calls 50799->50800 50801 4a0800 10 API calls 50799->50801 50800->50799 50801->50799 50937 43ca61 50938 43ca72 FreeLibrary 50937->50938 50939 43ca79 50937->50939 50938->50939 46813 4fa40a 46814 4fa417 46813->46814 46816 4fa423 46814->46816 46817 4f4c31 46814->46817 46818 4f4c3e 46817->46818 46819 4f4c49 46817->46819 46820 4f42cd __fread_nolock RtlAllocateHeap 46818->46820 46821 4f4c5a 46819->46821 46822 4f4c51 46819->46822 46825 4f4c46 46820->46825 46824 4f4c84 RtlReAllocateHeap 46821->46824 46821->46825 46823 4f4253 __freea 2 API calls 46822->46823 46823->46825 46824->46821 46824->46825 46825->46816 46854 41ff09 46899 4655d0 46854->46899 46856 420253 46858 420327 46856->46858 46950 473140 46856->46950 46861 41ff5c 46858->46861 46904 40b110 46858->46904 46860 41ffcc 46861->46860 46978 4de42b 46861->46978 46863 420404 46865 40b110 22 API calls 46863->46865 46867 420479 46863->46867 46864 41ff23 46864->46856 46864->46861 46866 4655d0 3 API calls 46864->46866 46865->46867 46866->46864 46867->46861 46908 40ab40 46867->46908 46869 422304 46870 4de42b Concurrency::cancel_current_task RaiseException 46869->46870 46871 422359 46870->46871 46872 420578 46887 42075f __fread_nolock 46872->46887 46922 46a630 46872->46922 46874 420613 46926 46a190 46874->46926 46876 420651 46877 46a190 RaiseException 46876->46877 46876->46887 46878 420691 46877->46878 46880 46a190 RaiseException 46878->46880 46879 40b110 22 API calls 46879->46887 46881 4206d1 46880->46881 46882 46a190 RaiseException 46881->46882 46881->46887 46883 420711 46882->46883 46884 46a190 RaiseException 46883->46884 46885 420751 46884->46885 46963 46a2d0 46885->46963 46887->46860 46887->46861 46887->46869 46887->46879 46888 40ab40 38 API calls 46887->46888 46889 46a630 25 API calls 46887->46889 46890 46a190 RaiseException 46887->46890 46892 46a2d0 RaiseException 46887->46892 46894 402f50 ___std_exception_copy ___std_exception_copy RaiseException 46887->46894 46895 4a0800 10 API calls 46887->46895 46897 4655d0 ___std_exception_copy ___std_exception_copy RaiseException 46887->46897 46930 4c3160 46887->46930 46937 4144e0 46887->46937 46968 4dc8a2 46887->46968 46973 462610 46887->46973 46888->46887 46889->46887 46890->46887 46892->46887 46894->46887 46895->46887 46897->46887 46901 4655f8 46899->46901 46900 465607 46900->46864 46901->46900 46981 402f50 46901->46981 46903 46564a __fread_nolock 46903->46864 46905 40b140 46904->46905 46907 40b174 46905->46907 46993 4e62d8 46905->46993 46907->46863 46909 40abb0 46908->46909 46912 40ac49 46909->46912 47084 4e6826 46909->47084 46911 40abec 47088 4e25db 46911->47088 46912->46872 46914 40abf2 46915 4e6826 18 API calls 46914->46915 46916 40ac00 46915->46916 46918 40ac0a 46916->46918 47092 4680a0 46916->47092 47097 4eb2cf 46918->47097 46921 4e62d8 22 API calls 46921->46912 46923 46a679 46922->46923 47160 46ca20 46923->47160 46925 46a6ef 46925->46874 46928 46a1b4 46926->46928 46927 46a1d6 46927->46876 46928->46927 46929 4de42b Concurrency::cancel_current_task RaiseException 46928->46929 46929->46927 46931 4c3289 46930->46931 46933 4c3185 46930->46933 46931->46887 46933->46931 47255 4c2ba0 46933->47255 46934 4c326a 46934->46887 46935 4c2ba0 10 API calls 46935->46934 46936 4c31b9 46936->46934 46936->46935 46938 414513 46937->46938 46939 414673 std::_Throw_Cpp_error 46938->46939 46940 41451e 46938->46940 46941 41467a std::_Throw_Cpp_error 46939->46941 46940->46941 46945 41452e 46940->46945 46942 41458f 46943 4d9e00 2 API calls 46942->46943 46946 414599 46943->46946 46944 4145c1 47347 4d9e00 46944->47347 46945->46942 46945->46944 46946->46887 46948 4145c8 47364 4e648e 46948->47364 46951 4731a2 46950->46951 46959 473205 46950->46959 46952 4732bf 46951->46952 46954 4731f4 46951->46954 46955 47321b 46951->46955 47409 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 46952->47409 46954->46952 46956 4731ff 46954->46956 46957 4dc8a2 2 API calls 46955->46957 46962 473210 46955->46962 46958 4dc8a2 2 API calls 46956->46958 46957->46962 46958->46959 46960 4de42b Concurrency::cancel_current_task RaiseException 46959->46960 46959->46962 46961 4732f1 46960->46961 46962->46858 46964 46a335 46963->46964 46965 46a363 46963->46965 46964->46887 46966 4de42b Concurrency::cancel_current_task RaiseException 46965->46966 46967 46a3a9 46966->46967 46969 4022f0 Concurrency::cancel_current_task 46968->46969 46970 4dc8c1 46969->46970 46971 4de42b Concurrency::cancel_current_task RaiseException 46969->46971 46970->46887 46970->46970 46972 40230c ___std_exception_copy 46971->46972 46972->46887 46974 462638 46973->46974 46975 462634 46973->46975 46974->46887 46975->46974 46976 4de42b Concurrency::cancel_current_task RaiseException 46975->46976 46977 4626dc 46976->46977 46979 4de445 46978->46979 46980 4de472 RaiseException 46978->46980 46979->46980 46980->46869 46982 402f62 46981->46982 46986 402f86 46981->46986 46983 402f69 46982->46983 46984 402f9f 46982->46984 46988 4dc8a2 2 API calls 46983->46988 46992 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 46984->46992 46985 402f98 46985->46903 46986->46985 46989 4dc8a2 2 API calls 46986->46989 46990 402f6f 46988->46990 46991 402f90 46989->46991 46990->46903 46991->46903 46992->46990 46994 4e62eb 46993->46994 46997 4e61b3 46994->46997 46996 4e62f7 46996->46907 46998 4e61bf 46997->46998 47002 4e61c9 46998->47002 47005 4ea480 EnterCriticalSection 46998->47005 47000 4e620a 47006 4e624a 47000->47006 47002->46996 47003 4e6217 47016 4e6242 LeaveCriticalSection 47003->47016 47005->47000 47007 4e627a 47006->47007 47009 4e6257 47006->47009 47007->47009 47017 4e2cc1 47007->47017 47009->47003 47012 4e629a 47025 4f1ee0 47012->47025 47014 4e62ad 47014->47009 47015 4f4253 __freea 2 API calls 47014->47015 47015->47009 47016->47002 47018 4e2d01 47017->47018 47019 4e2cda 47017->47019 47021 4f428d 47018->47021 47019->47018 47029 4f282c 47019->47029 47022 4f42a4 47021->47022 47024 4f42b6 47021->47024 47023 4f4253 __freea 2 API calls 47022->47023 47022->47024 47023->47024 47024->47012 47026 4f1f09 47025->47026 47028 4f1ef1 47025->47028 47026->47028 47075 4f1e4f 47026->47075 47028->47014 47030 4f2838 47029->47030 47031 4f2840 47030->47031 47033 4f293d 47030->47033 47031->47018 47034 4f2965 47033->47034 47057 4f2969 47033->47057 47035 4f29e2 47034->47035 47034->47057 47058 4eb86d 47034->47058 47061 4f2482 47035->47061 47039 4f29fa 47043 4f2a29 47039->47043 47044 4f2a02 47039->47044 47040 4f2a41 47041 4f2aaa WriteFile 47040->47041 47042 4f2a55 47040->47042 47045 4f2acc GetLastError 47041->47045 47041->47057 47047 4f2a5d 47042->47047 47048 4f2a96 47042->47048 47066 4f2053 GetConsoleOutputCP WriteFile WriteFile GetLastError __fread_nolock 47043->47066 47044->47057 47065 4f241a GetLastError 47044->47065 47045->47057 47049 4f2a82 47047->47049 47050 4f2a62 47047->47050 47069 4f24ff WriteFile GetLastError 47048->47069 47068 4f26c3 WriteFile GetLastError 47049->47068 47053 4f2a6b 47050->47053 47050->47057 47067 4f25da WriteFile GetLastError 47053->47067 47055 4f2a3c 47055->47057 47057->47031 47070 4eb74c 47058->47070 47060 4eb886 47060->47035 47063 4f2494 47061->47063 47062 4f24f8 47062->47039 47062->47040 47063->47062 47064 4f24dc GetConsoleMode 47063->47064 47064->47062 47065->47057 47066->47055 47067->47057 47068->47055 47069->47055 47071 4eb75e 47070->47071 47072 4eb77a SetFilePointerEx 47071->47072 47073 4eb766 47071->47073 47072->47073 47074 4eb792 GetLastError 47072->47074 47073->47060 47074->47073 47076 4f1e5b 47075->47076 47078 4f1e9a 47076->47078 47079 4f1fb3 47076->47079 47078->47028 47081 4f1fc3 47079->47081 47080 4f1fc9 47080->47078 47081->47080 47082 4f2007 FindCloseChangeNotification 47081->47082 47082->47080 47083 4f2013 GetLastError 47082->47083 47083->47080 47085 4e6839 47084->47085 47100 4e657d 47085->47100 47087 4e684e 47087->46911 47089 4e25ee 47088->47089 47117 4e1ef1 47089->47117 47091 4e25fa 47091->46914 47093 4680c2 47092->47093 47094 4680f1 47092->47094 47093->46918 47095 402f50 3 API calls 47094->47095 47096 468146 __fread_nolock 47094->47096 47095->47096 47096->46918 47149 4eb2ec 47097->47149 47099 40ac41 47099->46921 47101 4e6589 47100->47101 47102 4e658f 47101->47102 47108 4ea480 EnterCriticalSection 47101->47108 47102->47087 47104 4e65de 47109 4e6700 47104->47109 47106 4e65f4 47116 4e661d LeaveCriticalSection 47106->47116 47108->47104 47110 4e6713 47109->47110 47111 4e6726 47109->47111 47110->47106 47112 4e2cc1 16 API calls 47111->47112 47115 4e67d7 47111->47115 47113 4e6777 47112->47113 47114 4eb86d 2 API calls 47113->47114 47114->47115 47115->47106 47116->47102 47118 4e1efd 47117->47118 47119 4e1f04 47118->47119 47123 4ea480 EnterCriticalSection 47118->47123 47119->47091 47121 4e1f30 47124 4e2000 47121->47124 47123->47121 47127 4e2032 47124->47127 47126 4e2012 47126->47119 47128 4e2069 47127->47128 47139 4e2041 47127->47139 47140 4eb80f 47128->47140 47131 4e211c 47143 4e239e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ ReadFile SetFilePointerEx GetLastError 47131->47143 47132 4e2133 47134 4e21ae 47132->47134 47135 4e2198 47132->47135 47132->47139 47138 4e21b4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 47134->47138 47134->47139 47144 4e21d3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ SetFilePointerEx GetLastError 47135->47144 47136 4e212b 47136->47139 47138->47139 47139->47126 47145 4eb627 47140->47145 47142 4e2090 47142->47131 47142->47132 47142->47139 47143->47136 47144->47139 47146 4eb633 47145->47146 47147 4eb74c 2 API calls 47146->47147 47148 4eb63b 47146->47148 47147->47148 47148->47142 47150 4eb2f8 47149->47150 47154 4eb30b 47150->47154 47155 4ea480 EnterCriticalSection 47150->47155 47152 4eb34c 47156 4eb0f6 47152->47156 47154->47099 47155->47152 47157 4eb108 __fread_nolock 47156->47157 47158 4eb115 47156->47158 47157->47158 47159 4f1ac4 __fread_nolock 9 API calls 47157->47159 47158->47154 47159->47157 47161 46cf73 47160->47161 47167 46ca55 47160->47167 47176 474ac0 47161->47176 47163 46cfb5 47174 46ccf1 47163->47174 47237 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47163->47237 47165 46d041 47238 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47165->47238 47167->47174 47235 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47167->47235 47168 46d059 47170 46d078 ___std_exception_destroy ___std_exception_destroy 47168->47170 47170->47174 47171 46cc6a 47236 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47171->47236 47173 46cc7f 47175 46cc9e ___std_exception_destroy ___std_exception_destroy 47173->47175 47174->46925 47175->47174 47195 474b27 47176->47195 47177 475752 47253 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47177->47253 47179 475137 47243 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47179->47243 47180 4757bf 47254 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47180->47254 47183 475049 47241 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47183->47241 47184 4757d7 47186 4757f8 ___std_exception_destroy ___std_exception_destroy 47184->47186 47185 4673c0 ___std_exception_copy ___std_exception_copy RaiseException 47185->47195 47216 475044 47186->47216 47187 475146 47244 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47187->47244 47189 4750bd 47242 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47189->47242 47191 474f14 47197 402f50 3 API calls 47191->47197 47192 475199 47200 4751be ___std_exception_destroy ___std_exception_destroy 47192->47200 47211 475009 47192->47211 47193 4752aa 47245 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47193->47245 47194 475391 47247 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47194->47247 47195->47177 47195->47179 47195->47183 47195->47185 47195->47191 47195->47193 47195->47194 47199 475574 47195->47199 47195->47216 47217 47547a 47195->47217 47198 474f3d 47197->47198 47239 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47198->47239 47251 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47199->47251 47200->47211 47203 4750d5 47208 4750f6 ___std_exception_destroy ___std_exception_destroy 47203->47208 47204 475317 47246 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47204->47246 47205 4de42b Concurrency::cancel_current_task RaiseException 47213 47589a 47205->47213 47206 475400 47248 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47206->47248 47208->47179 47211->47205 47211->47216 47214 4755e8 47252 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47214->47252 47215 474f97 47240 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47215->47240 47216->47163 47222 402f50 3 API calls 47217->47222 47220 475600 47228 475621 ___std_exception_destroy ___std_exception_destroy 47220->47228 47221 474fac 47229 474fca ___std_exception_destroy ___std_exception_destroy 47221->47229 47227 4754a3 47222->47227 47223 475418 47226 475439 ___std_exception_destroy ___std_exception_destroy 47223->47226 47224 47532f 47225 475350 ___std_exception_destroy ___std_exception_destroy 47224->47225 47225->47194 47226->47211 47249 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 47227->47249 47228->47216 47229->47211 47231 4754fa 47250 46e550 ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 47231->47250 47233 475512 47234 475533 ___std_exception_destroy ___std_exception_destroy 47233->47234 47234->47199 47235->47171 47236->47173 47237->47165 47238->47168 47239->47215 47240->47221 47241->47189 47242->47203 47243->47187 47244->47192 47245->47204 47246->47224 47247->47206 47248->47223 47249->47231 47250->47233 47251->47214 47252->47220 47253->47180 47254->47184 47256 4c2bbd 47255->47256 47263 4c2bc2 47256->47263 47275 4ce620 47256->47275 47257 48db50 2 API calls 47261 4c30f7 47257->47261 47260 4c2dad 47279 4d8fc0 47260->47279 47261->46936 47263->47257 47263->47261 47264 4c2ed1 __fread_nolock 47271 48db50 2 API calls 47264->47271 47274 4c3050 47264->47274 47265 4c2c73 __fread_nolock 47265->47263 47267 4d8fc0 2 API calls 47265->47267 47269 4c2cb5 47265->47269 47268 4c2d3b 47267->47268 47268->47269 47270 48db50 2 API calls 47268->47270 47269->47264 47294 498900 47269->47294 47270->47269 47271->47274 47273 48db50 2 API calls 47273->47274 47274->47263 47274->47273 47298 49e5e0 RtlFreeHeap GetLastError 47274->47298 47276 4c2c52 47275->47276 47277 4ce635 47275->47277 47276->47260 47276->47265 47277->47276 47278 48db50 2 API calls 47277->47278 47278->47277 47284 4d8ff6 47279->47284 47280 4d93e2 47280->47269 47281 48db50 2 API calls 47283 4d9204 47281->47283 47282 4d90ae 47282->47281 47286 48db50 2 API calls 47283->47286 47287 4d92ac 47283->47287 47284->47280 47284->47282 47285 48db50 2 API calls 47284->47285 47285->47282 47286->47287 47288 48db50 2 API calls 47287->47288 47289 4d92f9 47287->47289 47288->47289 47290 48db50 2 API calls 47289->47290 47291 4d9332 47289->47291 47290->47291 47292 4d93a1 47291->47292 47293 48db50 2 API calls 47291->47293 47292->47269 47293->47291 47295 498937 47294->47295 47297 498921 47294->47297 47295->47269 47297->47295 47299 498660 47297->47299 47298->47274 47307 496450 47299->47307 47302 496a70 6 API calls 47303 49868f 47302->47303 47304 4987c7 47303->47304 47321 492c30 47303->47321 47304->47297 47306 4987a9 47306->47297 47308 4964ab 47307->47308 47309 49646a 47307->47309 47311 4964e7 47308->47311 47315 496529 47308->47315 47325 491fc0 47308->47325 47335 492990 47309->47335 47311->47302 47311->47304 47312 4968c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 47316 49685d 47312->47316 47313 49691f 47314 492990 2 API calls 47313->47314 47317 4966b5 47313->47317 47314->47317 47315->47312 47315->47316 47315->47317 47316->47313 47316->47317 47320 491300 4 API calls 47316->47320 47317->47311 47317->47317 47318 492990 2 API calls 47317->47318 47318->47311 47320->47313 47323 492c3c 47321->47323 47322 492c5f 47322->47306 47323->47322 47324 48db50 2 API calls 47323->47324 47324->47322 47326 491fd5 47325->47326 47327 491fdb 47326->47327 47328 491fed GetVersionExA 47326->47328 47329 492016 47326->47329 47327->47315 47328->47329 47330 49201d GetFileAttributesW 47329->47330 47331 492025 GetFileAttributesA 47329->47331 47332 49202b 47330->47332 47331->47332 47333 4eaec6 __freea 2 API calls 47332->47333 47334 492033 47333->47334 47334->47315 47336 492a2a 47335->47336 47337 4929a0 47335->47337 47336->47308 47339 493810 47337->47339 47341 49381c 47339->47341 47340 493841 47340->47336 47341->47340 47343 492fe0 47341->47343 47344 4930e5 47343->47344 47345 492ffa 47343->47345 47344->47340 47345->47344 47346 48db50 2 API calls 47345->47346 47346->47345 47349 4d9e13 47347->47349 47361 4da18d 47347->47361 47348 4d9e2b 47348->46948 47349->47348 47351 4d9f15 47349->47351 47377 498570 RtlFreeHeap GetLastError 47349->47377 47352 48db50 2 API calls 47351->47352 47353 4d9f95 47351->47353 47352->47351 47354 48db50 2 API calls 47353->47354 47355 4da008 47353->47355 47354->47353 47356 48db50 2 API calls 47355->47356 47359 4da067 47355->47359 47356->47355 47357 4da0a7 47358 48db50 2 API calls 47357->47358 47362 4da0e7 47357->47362 47358->47362 47359->47357 47360 48db50 2 API calls 47359->47360 47360->47357 47361->46948 47362->47361 47363 4eaec6 2 API calls 47362->47363 47363->47361 47365 4e649c 47364->47365 47366 4e64a6 47364->47366 47367 4f4c09 3 API calls 47365->47367 47378 4e63d7 47366->47378 47369 4e64a3 47367->47369 47369->46946 47374 4e64d4 47375 4e64f2 47374->47375 47376 4f4253 __freea 2 API calls 47374->47376 47375->46946 47376->47375 47377->47349 47379 4e63e9 __wsopen_s 47378->47379 47380 4e63fb 47379->47380 47388 4f4747 5 API calls __wsopen_s 47379->47388 47382 4e63ba 47380->47382 47389 4e6308 47382->47389 47384 4e63d2 47384->47374 47385 4f4c09 DeleteFileW 47384->47385 47386 4f4c2d 47385->47386 47387 4f4c1b GetLastError __dosmaperr 47385->47387 47386->47374 47387->47374 47388->47380 47390 4e6316 47389->47390 47391 4e6330 47389->47391 47404 4e6416 RtlFreeHeap GetLastError __freea 47390->47404 47393 4e6356 47391->47393 47394 4e6337 47391->47394 47406 4f43b3 MultiByteToWideChar __wsopen_s 47393->47406 47399 4e6320 47394->47399 47405 4e6430 RtlFreeHeap GetLastError RtlAllocateHeap __wsopen_s 47394->47405 47396 4e6365 47398 4e636c GetLastError __dosmaperr 47396->47398 47402 4e6392 47396->47402 47407 4e6430 RtlFreeHeap GetLastError RtlAllocateHeap __wsopen_s 47396->47407 47398->47399 47399->47384 47402->47399 47408 4f43b3 MultiByteToWideChar __wsopen_s 47402->47408 47403 4e63a9 47403->47398 47403->47399 47404->47399 47405->47399 47406->47396 47407->47402 47408->47403 47409->46959 47611 41fa10 47612 41fa17 47611->47612 47612->47611 47613 41fa8b FindFirstFileA 47612->47613 47614 41fd4f 47612->47614 47621 41fac8 47613->47621 47615 41fd1a FindNextFileA 47616 41fd33 GetLastError 47615->47616 47615->47621 47617 41fd46 FindClose 47616->47617 47616->47621 47617->47614 47618 473140 3 API calls 47618->47621 47619 468210 3 API calls 47619->47621 47621->47614 47621->47615 47621->47618 47621->47619 47622 4642a0 ___std_exception_copy ___std_exception_copy RaiseException 47621->47622 47622->47621 47623 4ef218 47624 4ef22d 47623->47624 47625 4f3893 RtlAllocateHeap 47624->47625 47626 4ef254 47625->47626 47627 4ef25c 47626->47627 47634 4ef266 47626->47634 47628 4f4253 __freea 2 API calls 47627->47628 47631 4ef262 47628->47631 47629 4ef2c3 47630 4f4253 __freea 2 API calls 47629->47630 47630->47631 47632 4f3893 RtlAllocateHeap 47632->47634 47633 4ef2d2 47635 4f4253 __freea 2 API calls 47633->47635 47634->47629 47634->47632 47634->47633 47637 4f4253 __freea 2 API calls 47634->47637 47640 4ef2ed 47634->47640 47636 4ef2df 47635->47636 47638 4f4253 __freea 2 API calls 47636->47638 47637->47634 47638->47631 47639 4f3893 RtlAllocateHeap 47641 4ef359 47639->47641 47640->47639 47642 4ef361 47641->47642 47648 4ef36b 47641->47648 47643 4f4253 __freea 2 API calls 47642->47643 47654 4ef367 47643->47654 47644 4ef3e0 47645 4f4253 __freea 2 API calls 47644->47645 47645->47654 47646 4f3893 RtlAllocateHeap 47646->47648 47647 4ef3f0 47650 4f4253 __freea 2 API calls 47647->47650 47648->47644 47648->47646 47648->47647 47649 4ef40b 47648->47649 47652 4f4253 __freea 2 API calls 47648->47652 47651 4ef3fe 47650->47651 47653 4f4253 __freea 2 API calls 47651->47653 47652->47648 47653->47654 50500 4b4a10 50502 4b4a29 50500->50502 50501 4b4d81 50507 4b4dbf 50501->50507 50520 490e40 50501->50520 50502->50501 50505 4b4abd 50502->50505 50502->50507 50528 49e080 RtlFreeHeap GetLastError 50502->50528 50506 4b4b49 50505->50506 50514 4b4bdd 50505->50514 50529 49e080 RtlFreeHeap GetLastError 50505->50529 50530 4cb3c0 50506->50530 50510 4b4bc8 50510->50514 50662 49e080 RtlFreeHeap GetLastError 50510->50662 50511 48db50 2 API calls 50513 4b4ce1 50511->50513 50663 4b45d0 RtlFreeHeap GetLastError 50513->50663 50514->50507 50514->50511 50514->50513 50516 4b4d0a 50517 4b4d33 50516->50517 50664 49e080 RtlFreeHeap GetLastError 50516->50664 50665 49e6e0 RtlFreeHeap GetLastError __fread_nolock 50517->50665 50521 490e57 50520->50521 50522 490ea2 50521->50522 50525 490f0f 50521->50525 50523 48db50 2 API calls 50522->50523 50524 490ee4 50522->50524 50523->50524 50524->50507 50526 48db50 2 API calls 50525->50526 50527 490fbf 50525->50527 50526->50527 50527->50507 50528->50505 50529->50506 50531 4ccf73 50530->50531 50532 4cb3ee 50530->50532 50531->50510 50532->50531 50666 4cad40 50532->50666 50534 4cb60d 50536 4cb63b 50534->50536 50542 4cb696 50534->50542 50535 48db50 2 API calls 50540 4cb6ea 50535->50540 50543 4cb666 50536->50543 50674 4c6120 12 API calls 50536->50674 50538 48db50 2 API calls 50538->50531 50539 4cb68c 50539->50510 50540->50538 50541 4ccf50 50540->50541 50541->50510 50545 4cb7ed 50542->50545 50546 4cb787 50542->50546 50570 4cb6ac 50542->50570 50675 49e080 RtlFreeHeap GetLastError 50542->50675 50543->50510 50544 4cb833 50678 49e1e0 RtlFreeHeap GetLastError 50544->50678 50545->50544 50677 49e080 RtlFreeHeap GetLastError 50545->50677 50676 49e6e0 RtlFreeHeap GetLastError __fread_nolock 50546->50676 50551 4cb445 50551->50534 50552 4cb3c0 12 API calls 50551->50552 50551->50570 50552->50551 50553 4cb8dc 50554 4cb952 50553->50554 50561 4cba02 50553->50561 50682 4d4310 12 API calls 50554->50682 50555 4cb87a 50555->50553 50556 4cb8e1 50555->50556 50679 49e080 RtlFreeHeap GetLastError 50555->50679 50681 49e6e0 RtlFreeHeap GetLastError __fread_nolock 50556->50681 50561->50561 50685 49e1e0 RtlFreeHeap GetLastError 50561->50685 50562 4cb8c6 50562->50556 50563 4cb8ca 50562->50563 50680 49e6e0 RtlFreeHeap GetLastError __fread_nolock 50563->50680 50564 4cb9ab 50684 4c40c0 RtlFreeHeap GetLastError 50564->50684 50566 4cba47 50574 4cbb0a 50566->50574 50686 4a80c0 12 API calls 50566->50686 50567 4cb96a 50567->50564 50567->50570 50683 49e380 RtlFreeHeap GetLastError 50567->50683 50569 4cbb6a 50582 4cbbb0 50569->50582 50688 4a80c0 12 API calls 50569->50688 50570->50535 50570->50540 50573 4cbc57 50573->50570 50577 4cc99b 50573->50577 50579 4cbc7d 50573->50579 50574->50569 50687 4a80c0 12 API calls 50574->50687 50588 4ccc12 50577->50588 50593 4cca0c 50577->50593 50580 4cbcc1 50579->50580 50690 49e080 RtlFreeHeap GetLastError 50579->50690 50691 49e6e0 RtlFreeHeap GetLastError __fread_nolock 50580->50691 50582->50573 50689 4a80c0 12 API calls 50582->50689 50585 4cbd24 50692 49e1e0 RtlFreeHeap GetLastError 50585->50692 50587 4cbd3c 50693 49e1e0 RtlFreeHeap GetLastError 50587->50693 50726 4d4310 12 API calls 50588->50726 50590 4cbd51 50591 4cbd8c 50590->50591 50694 49e080 RtlFreeHeap GetLastError 50590->50694 50594 4cbde4 50591->50594 50695 49e080 RtlFreeHeap GetLastError 50591->50695 50601 4ccac4 50593->50601 50721 49e080 RtlFreeHeap GetLastError 50593->50721 50600 4cbe37 50594->50600 50696 49e080 RtlFreeHeap GetLastError 50594->50696 50595 4ccdad 50607 4ccbc9 50595->50607 50727 49e080 RtlFreeHeap GetLastError 50595->50727 50599 4ccb36 50604 4ccb76 50599->50604 50724 49e080 RtlFreeHeap GetLastError 50599->50724 50697 4d4310 12 API calls 50600->50697 50601->50599 50602 4ccb47 50601->50602 50605 4ccb1f 50601->50605 50723 49e380 RtlFreeHeap GetLastError 50602->50723 50604->50607 50725 49e080 RtlFreeHeap GetLastError 50604->50725 50722 49e380 RtlFreeHeap GetLastError 50605->50722 50728 4c40c0 RtlFreeHeap GetLastError 50607->50728 50613 4cc394 50614 4cc3a9 50613->50614 50703 49e080 RtlFreeHeap GetLastError 50613->50703 50704 49e6e0 RtlFreeHeap GetLastError __fread_nolock 50614->50704 50617 49e080 RtlFreeHeap GetLastError 50621 4cbeab 50617->50621 50618 4cbe90 50618->50570 50618->50621 50635 4cbfa9 50618->50635 50698 49e080 RtlFreeHeap GetLastError 50618->50698 50619 4cc403 50623 4cc415 50619->50623 50705 49e080 RtlFreeHeap GetLastError 50619->50705 50621->50613 50621->50617 50624 4cc479 50623->50624 50706 49e080 RtlFreeHeap GetLastError 50623->50706 50629 4cc4d7 50624->50629 50707 49e080 RtlFreeHeap GetLastError 50624->50707 50625 4cc102 50634 4cc15c 50625->50634 50701 49e080 RtlFreeHeap GetLastError 50625->50701 50626 4cc0d3 50626->50625 50700 49e080 RtlFreeHeap GetLastError 50626->50700 50636 4cc52f 50629->50636 50708 49e080 RtlFreeHeap GetLastError 50629->50708 50634->50621 50702 49e080 RtlFreeHeap GetLastError 50634->50702 50635->50626 50699 49e080 RtlFreeHeap GetLastError 50635->50699 50638 4cc59d 50636->50638 50709 49e080 RtlFreeHeap GetLastError 50636->50709 50640 4cc5e0 50638->50640 50642 4cc63c 50638->50642 50646 4cc5fa 50640->50646 50710 49e080 RtlFreeHeap GetLastError 50640->50710 50642->50646 50711 49e380 RtlFreeHeap GetLastError 50642->50711 50645 4cc688 50647 4cc6da 50645->50647 50713 49e080 RtlFreeHeap GetLastError 50645->50713 50646->50645 50712 49e080 RtlFreeHeap GetLastError 50646->50712 50649 4cc729 50647->50649 50714 49e080 RtlFreeHeap GetLastError 50647->50714 50652 4cc775 50649->50652 50715 49e080 RtlFreeHeap GetLastError 50649->50715 50653 4cc7e0 50652->50653 50716 49e080 RtlFreeHeap GetLastError 50652->50716 50656 4cc82d 50653->50656 50717 49e080 RtlFreeHeap GetLastError 50653->50717 50718 4c40c0 RtlFreeHeap GetLastError 50656->50718 50658 4cc8bb 50660 4cc8d1 50658->50660 50719 49e080 RtlFreeHeap GetLastError 50658->50719 50660->50570 50720 49e080 RtlFreeHeap GetLastError 50660->50720 50662->50514 50663->50516 50664->50517 50665->50501 50667 4cad58 50666->50667 50668 4cadda 50666->50668 50667->50668 50729 4a8180 50667->50729 50668->50551 50671 4a8180 12 API calls 50672 4cadaf 50671->50672 50672->50668 50673 4a8180 12 API calls 50672->50673 50673->50668 50674->50539 50675->50546 50676->50545 50677->50544 50678->50555 50679->50562 50680->50553 50681->50553 50682->50567 50683->50564 50684->50570 50685->50566 50686->50566 50687->50574 50688->50582 50689->50582 50690->50580 50691->50585 50692->50587 50693->50590 50694->50591 50695->50594 50696->50600 50697->50618 50698->50635 50699->50635 50700->50625 50701->50634 50702->50621 50703->50614 50704->50619 50705->50623 50706->50624 50707->50629 50708->50636 50709->50638 50710->50646 50711->50646 50712->50645 50713->50647 50714->50649 50715->50652 50716->50653 50717->50656 50718->50658 50719->50660 50720->50570 50721->50601 50722->50599 50723->50599 50724->50604 50725->50607 50726->50595 50727->50607 50728->50570 50730 4a82ad 50729->50730 50731 4a8197 50729->50731 50730->50668 50730->50671 50731->50730 50732 4a80c0 12 API calls 50731->50732 50733 4a8180 12 API calls 50731->50733 50735 4ca380 50731->50735 50732->50731 50733->50731 50738 4ca685 50735->50738 50740 4ca3a6 50735->50740 50736 4a8180 12 API calls 50736->50740 50738->50731 50739 4ca791 50739->50738 50741 4a8180 12 API calls 50739->50741 50740->50736 50740->50738 50740->50739 50744 4ca56f __fread_nolock 50740->50744 50746 4c2b00 50740->50746 50742 4ca7c1 50741->50742 50742->50731 50743 4aa840 RtlFreeHeap GetLastError 50743->50744 50744->50738 50744->50743 50745 48db50 RtlFreeHeap GetLastError 50744->50745 50745->50744 50747 4c2b30 50746->50747 50749 4c2b6b 50747->50749 50750 4c2740 50747->50750 50749->50740 50759 4c24b0 50750->50759 50752 4c27a6 50753 498900 10 API calls 50752->50753 50754 4c27e7 50752->50754 50755 4c27fd 50752->50755 50753->50755 50754->50747 50755->50754 50767 4bf050 50755->50767 50757 4c2a42 50757->50754 50758 48db50 2 API calls 50757->50758 50758->50754 50760 4c24d9 50759->50760 50761 4c2528 50759->50761 50760->50752 50762 4bf050 12 API calls 50761->50762 50764 4c2539 50761->50764 50766 4c25b0 50762->50766 50763 48db50 2 API calls 50765 4c268a 50763->50765 50764->50752 50765->50752 50766->50763 50766->50764 50773 4bf096 __fread_nolock 50767->50773 50768 4bf1dd 50769 4c3160 10 API calls 50768->50769 50771 4bf627 50768->50771 50775 48db50 2 API calls 50768->50775 50777 4c24b0 12 API calls 50768->50777 50778 4a0800 50768->50778 50769->50768 50770 4dc8a2 2 API calls 50770->50773 50772 48db50 2 API calls 50771->50772 50776 4bf6b2 __fread_nolock 50771->50776 50772->50776 50773->50768 50773->50770 50775->50768 50776->50757 50777->50768 50779 4a0c59 50778->50779 50781 4a0819 50778->50781 50779->50768 50780 4a0bba 50780->50768 50781->50780 50782 4a0b5c 50781->50782 50783 4c3160 10 API calls 50781->50783 50782->50780 50784 48db50 2 API calls 50782->50784 50783->50781 50784->50780 51122 414233 51127 41424c 51122->51127 51123 4143ef 51124 414480 std::_Throw_Cpp_error 51123->51124 51125 414487 std::_Throw_Cpp_error 51124->51125 51126 4144a0 51125->51126 51127->51123 51128 414328 CopyFileA 51127->51128 51129 414341 51128->51129 51131 414353 51128->51131 51134 413f60 GetLastError 51129->51134 51131->51124 51131->51125 51132 4655d0 3 API calls 51131->51132 51133 414357 51131->51133 51132->51123 51135 4140d6 CopyFileA 51134->51135 51140 413f9e 51134->51140 51136 414130 51135->51136 51137 4140f0 GetLastError 51135->51137 51136->51131 51138 4140f7 51137->51138 51139 41411c 51137->51139 51141 4140fe CopyFileA 51138->51141 51139->51131 51142 413ffd RmStartSession 51140->51142 51141->51131 51143 4140b1 RmEndSession SetLastError 51142->51143 51144 41401d 51142->51144 51145 4140d0 51143->51145 51146 41402d RmRegisterResources 51144->51146 51145->51135 51147 41405a RmGetList 51146->51147 51149 41409f 51146->51149 51148 414082 51147->51148 51148->51149 51150 414090 RmShutdown 51148->51150 51149->51143 51150->51149 51151 4f363b 51154 4f3648 51151->51154 51152 4f3654 51154->51152 51156 4f68c4 3 API calls 51154->51156 51157 4f3702 51154->51157 51156->51157 51158 4f3731 51157->51158 51159 4f3740 51158->51159 51160 4f37e6 51159->51160 51161 4f3753 51159->51161 51162 4f282c 16 API calls 51160->51162 51163 4f3770 51161->51163 51166 4f3797 51161->51166 51165 4f3713 51162->51165 51164 4f282c 16 API calls 51163->51164 51164->51165 51166->51165 51168 4eb7cf 51166->51168 51169 4eb7e3 51168->51169 51170 4eb627 2 API calls 51169->51170 51171 4eb7f8 51170->51171 51171->51165 51241 4d9b30 51242 4d9b4d 51241->51242 51243 4d9b43 51241->51243 51244 48db50 2 API calls 51242->51244 51245 4d9b63 51242->51245 51244->51245 46769 4f5bcc 46770 4f5bd9 46769->46770 46771 4f5bf1 46769->46771 46771->46770 46772 4f5c50 46771->46772 46775 4f68c4 46771->46775 46780 4f19ab 46772->46780 46784 4f3893 46775->46784 46777 4f68e1 46778 4f4253 __freea 2 API calls 46777->46778 46779 4f68eb 46778->46779 46779->46772 46782 4f19b7 46780->46782 46781 4f19bf 46781->46770 46782->46781 46788 4f1ac4 46782->46788 46787 4f38a0 46784->46787 46785 4f38cb RtlAllocateHeap 46786 4f38de 46785->46786 46785->46787 46786->46777 46787->46785 46787->46786 46789 4f1ad6 46788->46789 46790 4f1aee 46788->46790 46789->46781 46790->46789 46792 4f1b92 46790->46792 46794 4f1b85 46790->46794 46809 4f42cd 46790->46809 46808 4f4253 __freea 2 API calls 46792->46808 46793 4f1bd1 46795 4f4253 __freea 2 API calls 46793->46795 46794->46792 46796 4f1d80 46794->46796 46799 4f1d25 GetConsoleMode 46794->46799 46797 4f1bda 46795->46797 46798 4f1d84 ReadFile 46796->46798 46800 4f4253 __freea 2 API calls 46797->46800 46801 4f1d9c 46798->46801 46802 4f1df8 GetLastError 46798->46802 46799->46796 46803 4f1d36 46799->46803 46800->46794 46801->46792 46801->46802 46802->46792 46804 4f1e1c 46802->46804 46803->46798 46805 4f1d3c ReadConsoleW 46803->46805 46804->46792 46806 4f1d5c __dosmaperr 46804->46806 46805->46792 46807 4f1d56 GetLastError 46805->46807 46806->46792 46807->46806 46808->46789 46810 4f4309 46809->46810 46811 4f42db 46809->46811 46810->46793 46811->46810 46812 4f42f6 RtlAllocateHeap 46811->46812 46812->46810 46812->46811 47411 45e5d4 47412 45e5ee 47411->47412 47413 4655d0 3 API calls 47412->47413 47415 45e60c 47413->47415 47414 45e675 CreateThread FindCloseChangeNotification 47417 45e747 47414->47417 47418 45e69e 47414->47418 47571 41e220 47414->47571 47415->47414 47416 45e6a0 GetPEB 47416->47418 47419 45e782 GetTempPathA 47417->47419 47418->47416 47418->47418 47420 45e71d Sleep 47418->47420 47421 45e7a4 47419->47421 47420->47416 47420->47417 47458 40b1a0 47421->47458 47423 45e8d7 47424 45e8e9 47423->47424 47479 40b300 47423->47479 47426 40b1a0 4 API calls 47424->47426 47427 45e8fe 47426->47427 47428 45e911 47427->47428 47429 40b300 14 API calls 47427->47429 47430 45e920 CreateDirectoryA 47428->47430 47429->47428 47431 45e93d 47430->47431 47432 45e933 47430->47432 47434 45e952 CreateDirectoryA 47431->47434 47435 460fa5 OutputDebugStringA 47431->47435 47499 415e30 47432->47499 47436 45e9d3 47434->47436 47437 45e959 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 47434->47437 47442 460fbc 47435->47442 47438 45e9de GetPEB 47436->47438 47441 45e995 47437->47441 47439 45e9f0 47438->47439 47439->47435 47440 415e30 2 API calls 47440->47436 47441->47440 47443 4655d0 3 API calls 47442->47443 47444 461062 47443->47444 47445 4610d3 CreateMutexA 47444->47445 47446 402990 47445->47446 47447 4610ed GetLastError 47446->47447 47448 4610fe Sleep 47447->47448 47456 4611db 47447->47456 47449 46113b 47448->47449 47467 41e5f0 47449->47467 47451 461150 47452 461195 Sleep shutdown closesocket 47451->47452 47453 461172 Sleep 47451->47453 47455 4611ce 47452->47455 47452->47456 47453->47452 47453->47453 47455->47456 47457 4611d2 Sleep 47455->47457 47457->47457 47459 40b1d0 47458->47459 47460 40b1d7 47459->47460 47461 40b24d std::_Throw_Cpp_error 47459->47461 47462 40b254 std::_Throw_Cpp_error 47460->47462 47463 40b1e3 47460->47463 47461->47462 47464 40b1fb GetFileAttributesA 47463->47464 47465 40b212 47463->47465 47464->47465 47466 40b207 GetLastError 47464->47466 47465->47423 47466->47465 47468 41e61d 47467->47468 47469 41e737 std::_Throw_Cpp_error 47468->47469 47470 41e628 47468->47470 47471 41e73e std::_Throw_Cpp_error 47469->47471 47470->47471 47472 41e638 47470->47472 47473 473140 3 API calls 47472->47473 47474 41e685 47472->47474 47473->47474 47475 4655d0 3 API calls 47474->47475 47476 41e6fc 47475->47476 47505 41d840 47476->47505 47478 41e710 47478->47451 47480 40b33a 47479->47480 47481 40b712 std::_Throw_Cpp_error 47480->47481 47482 40b345 47480->47482 47483 40b719 std::_Throw_Cpp_error 47481->47483 47482->47483 47484 40b355 47482->47484 47486 40b627 47483->47486 47485 40b410 FindFirstFileA 47484->47485 47484->47486 47485->47486 47488 40b435 47485->47488 47486->47424 47488->47486 47489 40b5a9 SetFileAttributesA 47488->47489 47490 40b300 3 API calls 47488->47490 47566 468210 47488->47566 47491 40b650 GetLastError 47489->47491 47492 40b5c8 DeleteFileA 47489->47492 47490->47489 47491->47486 47492->47491 47493 40b5de FindNextFileA 47492->47493 47493->47488 47494 40b5f7 FindClose GetLastError 47493->47494 47494->47486 47495 40b60d SetFileAttributesA 47494->47495 47495->47486 47497 40b632 RemoveDirectoryA 47495->47497 47497->47486 47502 415e66 47499->47502 47500 415edb GetFileAttributesA 47501 415fe1 47500->47501 47503 415eeb 47500->47503 47501->47431 47502->47500 47504 415fc4 CreateDirectoryA 47503->47504 47504->47431 47506 4655d0 3 API calls 47505->47506 47507 41d87d 47506->47507 47508 4680a0 3 API calls 47507->47508 47509 41daa1 __fread_nolock 47507->47509 47508->47509 47510 41dbad GetModuleHandleA GetProcAddress WSASend 47509->47510 47512 41dbe7 47509->47512 47510->47509 47510->47512 47511 41dc17 47511->47478 47512->47511 47513 41dca9 47512->47513 47514 41dcf9 47512->47514 47515 41d840 47 API calls 47513->47515 47516 41e000 47514->47516 47530 41dd9e 47514->47530 47537 41dccf 47514->47537 47515->47537 47517 41e008 47516->47517 47518 41e05b 47516->47518 47519 46a630 25 API calls 47517->47519 47520 41e063 47518->47520 47521 41e0b6 47518->47521 47519->47537 47522 46a630 25 API calls 47520->47522 47523 41e111 47521->47523 47524 41e0be 47521->47524 47522->47537 47526 41e119 47523->47526 47527 41e16c 47523->47527 47525 46a630 25 API calls 47524->47525 47525->47537 47528 46a630 25 API calls 47526->47528 47529 46a630 25 API calls 47527->47529 47527->47537 47528->47537 47529->47537 47531 41dedc GetCurrentProcess 47530->47531 47533 41df09 47530->47533 47530->47537 47532 4655d0 3 API calls 47531->47532 47532->47537 47533->47537 47538 4ea858 47533->47538 47535 41df56 47536 4e62d8 22 API calls 47535->47536 47536->47537 47537->47478 47539 4ea86b 47538->47539 47542 4ea63a 47539->47542 47541 4ea880 47541->47535 47543 4ea648 47542->47543 47544 4ea655 47542->47544 47543->47544 47547 4ea593 47543->47547 47544->47541 47548 4ea59f 47547->47548 47555 4ea480 EnterCriticalSection 47548->47555 47550 4ea5ad 47556 4ea5ee 47550->47556 47552 4ea5ba 47560 4ea5e2 LeaveCriticalSection 47552->47560 47554 4ea5cb 47554->47541 47555->47550 47557 4ea606 47556->47557 47561 4ea6b1 47557->47561 47559 4ea624 47559->47552 47560->47554 47562 4ea6d1 47561->47562 47564 4ea6c3 __fread_nolock 47561->47564 47562->47559 47563 4e2cc1 16 API calls 47563->47564 47564->47562 47564->47563 47565 4f282c 16 API calls 47564->47565 47565->47564 47567 468232 __fread_nolock 47566->47567 47568 46825f 47566->47568 47567->47488 47569 402f50 3 API calls 47568->47569 47570 4682b4 __fread_nolock 47568->47570 47569->47570 47570->47488 47572 41e5d8 47571->47572 47575 41e24a 47571->47575 47573 41e293 setsockopt recv WSAGetLastError 47573->47572 47573->47575 47575->47573 47576 41e5c3 Sleep 47575->47576 47578 41e521 recv 47575->47578 47580 4680a0 3 API calls 47575->47580 47590 41d430 WSAStartup 47575->47590 47603 4dc299 47575->47603 47576->47572 47576->47575 47581 41e5bb Sleep 47578->47581 47582 41e339 recv 47580->47582 47581->47576 47583 41e35a recv 47582->47583 47585 41e37b 47582->47585 47583->47585 47584 41d840 51 API calls 47584->47585 47585->47581 47585->47584 47586 41e5ea 47585->47586 47587 4655d0 3 API calls 47585->47587 47588 41e3e2 setsockopt recv 47585->47588 47589 4680a0 3 API calls 47585->47589 47587->47585 47588->47585 47589->47588 47591 41d536 47590->47591 47592 41d468 47590->47592 47591->47575 47592->47591 47593 41d49e getaddrinfo 47592->47593 47594 41d530 WSACleanup 47593->47594 47595 41d4e6 47593->47595 47594->47591 47596 41d544 freeaddrinfo 47595->47596 47597 41d4f4 socket 47595->47597 47596->47594 47598 41d550 47596->47598 47597->47594 47599 41d50a connect 47597->47599 47598->47575 47600 41d540 47599->47600 47601 41d51c closesocket 47599->47601 47600->47596 47601->47597 47602 41d526 freeaddrinfo 47601->47602 47602->47594 47606 4dc84d 47603->47606 47607 4dc87d GetSystemTimePreciseAsFileTime 47606->47607 47608 4dc889 GetSystemTimeAsFileTime 47606->47608 47609 41e53b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 47607->47609 47608->47609 47609->47581 47609->47585 50479 4224d9 50480 4655d0 3 API calls 50479->50480 50489 4224f6 50480->50489 50481 4227fb 50482 473140 3 API calls 50481->50482 50498 4228d7 50481->50498 50482->50498 50483 42259f 50484 4655d0 ___std_exception_copy ___std_exception_copy RaiseException 50484->50498 50485 42252f 50485->50483 50486 4de42b Concurrency::cancel_current_task RaiseException 50485->50486 50487 42363e 50486->50487 50488 4673c0 3 API calls 50488->50498 50489->50481 50489->50485 50490 4655d0 3 API calls 50489->50490 50490->50489 50491 423585 50492 4de42b Concurrency::cancel_current_task RaiseException 50491->50492 50492->50485 50493 4c3160 10 API calls 50493->50498 50494 462610 RaiseException 50494->50498 50495 4144e0 16 API calls 50495->50498 50496 46a190 RaiseException 50496->50498 50497 4628f0 3 API calls 50497->50498 50498->50483 50498->50484 50498->50485 50498->50488 50498->50491 50498->50493 50498->50494 50498->50495 50498->50496 50498->50497 50499 4a0800 10 API calls 50498->50499 50499->50498 50802 4060e0 4 API calls 2 library calls 50803 45dde5 50804 45ddec 50803->50804 50805 45de2b LoadLibraryA 50804->50805 50806 45de7e 50805->50806 50807 45de38 50805->50807 50838 416000 50806->50838 50809 45de72 GetProcAddress 50807->50809 50809->50806 50810 45deb2 50811 4655d0 3 API calls 50810->50811 50812 45decd 50811->50812 50842 40ad80 50812->50842 50814 45dee5 50815 45df6e 50814->50815 50824 45dfe6 MessageBoxA 50814->50824 50816 45e082 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 50815->50816 50817 45e0ad GetProcessId 50816->50817 50819 45e109 50817->50819 50827 45e140 50819->50827 50924 414870 GetPEB IsDebuggerPresent 50819->50924 50821 45e129 50822 45e1b1 50821->50822 50823 45e131 GetPEB 50821->50823 50825 45e1be GetPEB 50822->50825 50822->50827 50823->50827 50824->50815 50837 45dff7 50824->50837 50825->50827 50826 45e2bf GetPEB 50828 45e2d0 50826->50828 50827->50826 50827->50828 50830 45e3ce 50828->50830 50857 4176b0 50828->50857 50831 45e3ff __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 50830->50831 50835 45e43f SetThreadExecutionState 50831->50835 50833 45e483 SetThreadExecutionState 50834 45e48a 50833->50834 50836 45e4ba GetPEB 50834->50836 50835->50833 50835->50834 50836->50837 50839 4debe0 50838->50839 50840 41603e GetModuleFileNameA 50839->50840 50841 416072 50840->50841 50841->50810 50843 46a0a0 2 API calls 50842->50843 50844 40adbf 50843->50844 50845 4e6826 18 API calls 50844->50845 50847 40ae66 50844->50847 50846 40ae0a 50845->50846 50848 4e25db 9 API calls 50846->50848 50847->50814 50849 40ae10 50848->50849 50850 4e6826 18 API calls 50849->50850 50851 40ae1c 50850->50851 50852 40ae2f 50851->50852 50853 4680a0 3 API calls 50851->50853 50854 4eb2cf __fread_nolock 10 API calls 50852->50854 50853->50852 50855 40ae60 50854->50855 50856 4e62d8 22 API calls 50855->50856 50856->50847 50858 4176e5 50857->50858 50859 416000 GetModuleFileNameA 50858->50859 50860 41779a 50859->50860 50861 4177bb GetUserNameA 50860->50861 50862 4177f0 50861->50862 50862->50862 50863 468210 3 API calls 50862->50863 50870 417b68 50862->50870 50864 41787e 50863->50864 50865 468210 3 API calls 50864->50865 50866 4178a1 50865->50866 50867 40b1a0 4 API calls 50866->50867 50868 4178b1 50867->50868 50869 415e30 2 API calls 50868->50869 50874 4178bd 50868->50874 50869->50874 50871 468210 3 API calls 50870->50871 50877 41867e 50870->50877 50896 418a48 50870->50896 50872 417c86 50871->50872 50873 468210 3 API calls 50872->50873 50875 417ca9 50873->50875 50874->50870 50878 468210 3 API calls 50874->50878 50874->50896 50876 40b1a0 4 API calls 50875->50876 50879 417cb9 50876->50879 50880 468210 3 API calls 50877->50880 50907 418900 50877->50907 50881 41796a 50878->50881 50882 415e30 2 API calls 50879->50882 50885 417d0b 50879->50885 50891 4187ce 50880->50891 50883 4655d0 3 API calls 50881->50883 50881->50896 50882->50885 50884 417a60 50883->50884 50886 40b110 22 API calls 50884->50886 50885->50877 50889 468210 3 API calls 50885->50889 50885->50896 50887 417a6d 50886->50887 50887->50870 50888 417a78 CopyFileA 50887->50888 50888->50870 50890 417aa9 RegOpenKeyExA 50888->50890 50897 417e20 50889->50897 50890->50870 50894 417b2e RegSetValueExA RegCloseKey 50890->50894 50893 4dc299 __Xtime_get_ticks 2 API calls 50891->50893 50891->50907 50895 418837 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 50893->50895 50894->50870 50900 41884d 50895->50900 50896->50830 50897->50896 50898 4655d0 3 API calls 50897->50898 50899 417ef9 50898->50899 50901 40b110 22 API calls 50899->50901 50902 4ea858 18 API calls 50900->50902 50903 417f06 50901->50903 50904 4188fa 50902->50904 50903->50877 50905 417f11 CopyFileA 50903->50905 50906 4e62d8 22 API calls 50904->50906 50905->50877 50908 417f4b 50905->50908 50906->50907 50907->50830 50909 468210 3 API calls 50908->50909 50910 4180cb 50909->50910 50911 468210 3 API calls 50910->50911 50913 41815b 50911->50913 50912 4655d0 3 API calls 50914 41828f 50912->50914 50913->50912 50925 4160b0 50914->50925 50916 41829f 50917 468210 3 API calls 50916->50917 50918 418432 50917->50918 50919 468210 3 API calls 50918->50919 50920 4184ad 50919->50920 50921 4655d0 3 API calls 50920->50921 50922 41866e 50921->50922 50923 4160b0 4 API calls 50922->50923 50923->50877 50924->50821 50926 4160e8 50925->50926 50926->50926 50927 41617d GetModuleHandleA GetProcAddress 50926->50927 50928 4161aa 50927->50928 50929 4161b7 CreateProcessA 50928->50929 50930 4161eb 50929->50930 50932 416210 50929->50932 50931 4161f7 GetPEB 50930->50931 50931->50932 50932->50916 50940 46f7e0 50945 4701c0 50940->50945 50942 46f83f 50943 46f7f3 50943->50942 50950 4786f0 50943->50950 50946 4701eb 50945->50946 50947 47020e 50946->50947 50948 4786f0 3 API calls 50946->50948 50947->50943 50949 47022b 50948->50949 50949->50943 50951 478732 50950->50951 50958 47875f __fread_nolock 50950->50958 50952 47874c 50951->50952 50953 47879a 50951->50953 50954 4dc8a2 2 API calls 50952->50954 50952->50958 50956 4dc8a2 2 API calls 50953->50956 50953->50958 50954->50958 50956->50958 50957 478883 50958->50942 50958->50957 50959 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 50958->50959 50959->50957 51113 41f3eb 51114 41f3d0 CryptUnprotectData 51113->51114 51116 41f3f6 51113->51116 51114->51113 51114->51116 51115 41f41a 51116->51115 51117 41f411 LocalFree 51116->51117 51117->51115 51172 45d9f0 GetCursorPos 51173 45da10 GetCursorPos 51172->51173 51174 45daef GetPEB 51173->51174 51176 45da25 51173->51176 51174->51176 51175 45da33 GetPEB 51175->51176 51176->51174 51176->51175 51176->51176 51177 45db68 Sleep 51176->51177 51178 45daa8 Sleep GetCursorPos 51176->51178 51179 45db94 51176->51179 51177->51173 51178->51174 51178->51176 46717 4a5c88 46718 4a5c98 46717->46718 46722 4a15c6 46718->46722 46723 499230 46718->46723 46720 4a5cb7 46720->46722 46733 499380 46720->46733 46724 499248 46723->46724 46725 49925e 46723->46725 46726 49924c 46724->46726 46740 48db50 46724->46740 46729 499275 46725->46729 46737 4982c0 46725->46737 46726->46720 46730 4992dc 46729->46730 46744 4991c0 46729->46744 46730->46720 46734 499390 46733->46734 46735 49943f 46734->46735 46736 4982c0 6 API calls 46734->46736 46735->46722 46736->46734 46748 496a70 46737->46748 46739 4982dd 46739->46729 46741 48dba6 46740->46741 46742 48db5b 46740->46742 46741->46725 46742->46741 46766 4eaec6 46742->46766 46745 4991d7 46744->46745 46747 4991e3 46744->46747 46746 4982c0 6 API calls 46745->46746 46746->46747 46747->46720 46749 496a88 46748->46749 46750 496a92 46748->46750 46749->46739 46751 496b3d 46750->46751 46752 496ba2 46750->46752 46754 496b1e 46750->46754 46751->46739 46752->46751 46753 496bcf 46752->46753 46764 492490 RtlFreeHeap GetLastError 46752->46764 46765 494810 RtlFreeHeap GetLastError 46753->46765 46754->46751 46758 491300 SetFilePointer 46754->46758 46759 49132a GetLastError 46758->46759 46760 491341 ReadFile 46758->46760 46759->46760 46761 491334 46759->46761 46762 49135c GetLastError 46760->46762 46763 491370 46760->46763 46761->46751 46762->46751 46763->46751 46764->46753 46765->46751 46767 4f4253 __freea 2 API calls 46766->46767 46768 4eaede 46767->46768 46768->46741 47655 45ea9c 47656 45ec8f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 47655->47656 47657 45eaa6 47655->47657 47658 45eccc 47656->47658 47660 45eaff CreateMutexA 47657->47660 47849 40c490 47658->47849 47661 402990 47660->47661 47662 45eb19 GetLastError 47661->47662 47663 45eb2a 47662->47663 47673 4611db 47662->47673 47664 45eb35 Sleep 47663->47664 47664->47664 47666 45eb41 47664->47666 47665 45ed25 47667 41d840 51 API calls 47665->47667 47668 41e5f0 53 API calls 47666->47668 47679 45ed7c 47667->47679 47669 45eb86 47668->47669 47670 45eba8 Sleep 47669->47670 47671 45ebcb shutdown closesocket WSACleanup 47669->47671 47670->47670 47670->47671 47672 45ebf2 GetPEB 47671->47672 47677 45ec00 47672->47677 47674 45ee57 47865 41ab90 47674->47865 47675 45edb4 GetPEB 47675->47679 47677->47672 47678 45ee67 47682 45ee9d 47678->47682 47684 45ef0a 47678->47684 47679->47674 47679->47675 47681 45ee2d Sleep 47679->47681 47680 41ab90 53 API calls 47680->47682 47681->47674 47681->47675 47682->47680 47683 45eefb Sleep 47682->47683 47683->47678 47683->47684 47685 45f1e0 47684->47685 47686 45f229 OutputDebugStringA 47684->47686 47688 45f203 GetModuleHandleA GetProcAddress 47685->47688 48015 41e7f0 47686->48015 47688->47686 47689 45f21e GetCurrentProcess 47688->47689 47689->47686 47690 45f5c6 48028 41e9d0 47690->48028 47692 45f23b 47692->47690 47693 46a190 RaiseException 47692->47693 47694 45f29a 47693->47694 47694->47690 47695 46a190 RaiseException 47694->47695 47696 45f2e4 47695->47696 48023 46a420 47696->48023 47699 45f31d 47702 46a190 RaiseException 47699->47702 47700 45fe5f 48036 41e750 47700->48036 47704 45f328 47702->47704 47706 46a420 RaiseException 47704->47706 47708 45f32f 47706->47708 47711 46a190 RaiseException 47708->47711 47713 45f365 47711->47713 47715 46a420 RaiseException 47713->47715 47714 45fe9b 47717 45fea0 OutputDebugStringA 47714->47717 47716 45f36c 47715->47716 47719 46a190 RaiseException 47716->47719 47718 45feb1 47717->47718 47721 45febb CreateThread CreateThread 47718->47721 47720 45f3ae 47719->47720 47722 46a420 RaiseException 47720->47722 48153 43c800 47721->48153 49029 450430 47721->49029 49680 455fc0 47721->49680 47725 45f3b5 47722->47725 47724 45fef0 47730 45ff77 47724->47730 48174 43ca90 47724->48174 47729 46a190 RaiseException 47725->47729 47726 46a190 RaiseException 47769 45f5d0 47726->47769 47731 45f3fe 47729->47731 47734 46a190 RaiseException 47730->47734 47732 46a420 RaiseException 47731->47732 47735 45f405 47732->47735 47739 45ffd4 47734->47739 47736 46a190 RaiseException 47735->47736 47737 45f43d 47736->47737 47740 46a420 RaiseException 47737->47740 47743 45f444 47740->47743 47745 46a190 RaiseException 47743->47745 47746 45f488 47745->47746 47747 46a420 RaiseException 47746->47747 47749 45f48f 47747->47749 47750 46a190 RaiseException 47749->47750 47751 45f4bf 47750->47751 47752 46a420 RaiseException 47751->47752 47753 45f4c6 OutputDebugStringA 47752->47753 47754 45f4fa 47753->47754 47757 46a190 RaiseException 47754->47757 47759 45f505 47757->47759 47758 46a2d0 RaiseException 47758->47769 47760 46a420 RaiseException 47759->47760 47761 45f50c 47760->47761 47762 46a190 RaiseException 47761->47762 47764 45f544 47762->47764 47765 46a420 RaiseException 47764->47765 47767 45f54b 47765->47767 47768 46a190 RaiseException 47767->47768 47770 45f57e 47768->47770 47769->47700 47769->47726 47769->47758 47771 46a420 RaiseException 47770->47771 47772 45f585 47771->47772 47774 46a190 RaiseException 47772->47774 47775 45f5bf 47774->47775 47777 46a420 RaiseException 47775->47777 47777->47690 47850 40c4be 47849->47850 47851 40c55d RegOpenKeyExA 47850->47851 47852 40c57f RegQueryValueExA 47851->47852 47855 40c606 47851->47855 47854 40c5fd RegCloseKey 47852->47854 47856 40c5db 47852->47856 47854->47855 47857 40c67d GetCurrentHwProfileA 47855->47857 47856->47854 47860 40c691 47857->47860 47859 40c6c5 48437 40bf20 SetupDiGetClassDevsA 47859->48437 48431 40bfc0 47860->48431 47862 40c6e0 47863 468210 3 API calls 47862->47863 47864 40c76b __fread_nolock 47862->47864 47863->47864 47864->47665 47866 41abd1 47865->47866 47868 4dc8a2 2 API calls 47866->47868 47976 41b1fe 47866->47976 47867 4655d0 3 API calls 47870 41c81c 47867->47870 47884 41ac8e 47868->47884 47869 4dc8a2 2 API calls 47883 41b4eb 47869->47883 47871 4655d0 3 API calls 47870->47871 47872 41c85b 47871->47872 47873 41d840 51 API calls 47872->47873 47880 41c86c 47873->47880 47874 41cc43 47876 4655d0 3 API calls 47874->47876 47875 4655d0 3 API calls 47878 41ceef 47875->47878 47881 41cc53 47876->47881 47877 41c884 GetPEB 47877->47880 47879 4655d0 3 API calls 47878->47879 47886 41cf02 47879->47886 47880->47874 47880->47877 47882 46a630 25 API calls 47881->47882 47914 41cd85 47881->47914 47887 41ccb6 47882->47887 48439 482190 47883->48439 47888 482190 4 API calls 47884->47888 47886->47678 47890 46a190 RaiseException 47887->47890 47887->47914 47891 41ad9b 47888->47891 47889 41b64a 47892 46a630 25 API calls 47889->47892 47953 41b93d 47889->47953 47893 41cd02 47890->47893 47895 46a630 25 API calls 47891->47895 47941 41aee3 47891->47941 47896 41b688 47892->47896 47894 46a2d0 RaiseException 47893->47894 47899 41cd10 47894->47899 47897 41add9 47895->47897 47898 46a190 RaiseException 47896->47898 47896->47953 47900 46a190 RaiseException 47897->47900 47897->47941 47905 41b6c9 47898->47905 47902 46a190 RaiseException 47899->47902 47907 41ae12 47900->47907 47901 4dc8a2 2 API calls 47922 41ba33 47901->47922 47904 41cd77 47902->47904 47903 4dc8a2 2 API calls 47935 41afa8 47903->47935 47906 46a2d0 RaiseException 47904->47906 47908 46a190 RaiseException 47905->47908 47905->47953 47906->47914 47909 46a190 RaiseException 47907->47909 47907->47941 47910 41b6ff 47908->47910 47911 41ae40 47909->47911 47915 46a190 RaiseException 47910->47915 47912 46a2d0 RaiseException 47911->47912 47919 41ae4e 47912->47919 47913 4dc8a2 2 API calls 47949 41c096 47913->47949 47914->47875 47916 41b754 47915->47916 47918 46a190 RaiseException 47916->47918 47932 41b7ed 47916->47932 47917 46a190 RaiseException 47920 41b864 47917->47920 47921 41b78a 47918->47921 47923 46a190 RaiseException 47919->47923 47924 46a190 RaiseException 47920->47924 47925 46a190 RaiseException 47921->47925 47926 482190 4 API calls 47922->47926 47929 41aeab 47923->47929 47936 41b8a4 47924->47936 47927 41b7df 47925->47927 47928 41bbab 47926->47928 47930 46a2d0 RaiseException 47927->47930 47933 46a630 25 API calls 47928->47933 47940 41bfa4 47928->47940 47931 46a190 RaiseException 47929->47931 47929->47941 47930->47932 47934 41aed5 47931->47934 47932->47917 47944 41bbe9 47933->47944 47937 46a2d0 RaiseException 47934->47937 47938 482190 4 API calls 47935->47938 47939 46a190 RaiseException 47936->47939 47936->47953 47937->47941 47942 41b14f 47938->47942 47943 41b8ef 47939->47943 47940->47913 47960 41c75d 47940->47960 47941->47903 47941->47976 47946 46a630 25 API calls 47942->47946 47942->47976 47947 46a190 RaiseException 47943->47947 47944->47940 47945 46a190 RaiseException 47944->47945 47954 41bc5b 47945->47954 47952 41b18d 47946->47952 47948 41b92f 47947->47948 47950 46a2d0 RaiseException 47948->47950 47951 482190 4 API calls 47949->47951 47950->47953 47955 41c26b 47951->47955 47956 46a190 RaiseException 47952->47956 47952->47976 47953->47901 47953->47940 47954->47940 47957 46a190 RaiseException 47954->47957 47959 46a630 25 API calls 47955->47959 47955->47960 47961 41b1c6 47956->47961 47958 41bcc2 47957->47958 47962 46a190 RaiseException 47958->47962 47964 41c2a9 47959->47964 47960->47867 47960->47914 47963 46a190 RaiseException 47961->47963 47961->47976 47969 41bd33 47962->47969 47965 41b1f0 47963->47965 47964->47960 47967 46a190 RaiseException 47964->47967 47968 46a2d0 RaiseException 47965->47968 47966 41be19 47970 46a190 RaiseException 47966->47970 47972 41c314 47967->47972 47968->47976 47969->47966 47971 46a190 RaiseException 47969->47971 47973 41beaf 47970->47973 47974 41bd9a 47971->47974 47972->47960 47975 46a190 RaiseException 47972->47975 47977 46a190 RaiseException 47973->47977 47978 46a190 RaiseException 47974->47978 47981 41c374 47975->47981 47976->47869 47976->47960 47983 41beef 47977->47983 47979 41be0b 47978->47979 47980 46a2d0 RaiseException 47979->47980 47980->47966 47981->47960 47982 46a190 RaiseException 47981->47982 47984 41c3d4 47982->47984 47983->47940 47985 46a190 RaiseException 47983->47985 47987 46a190 RaiseException 47984->47987 47986 41bf56 47985->47986 47988 46a190 RaiseException 47986->47988 47990 41c430 47987->47990 47989 41bf96 47988->47989 47991 46a2d0 RaiseException 47989->47991 47990->47960 47992 46a190 RaiseException 47990->47992 47991->47940 47993 41c490 47992->47993 47994 46a190 RaiseException 47993->47994 47995 41c4ec 47994->47995 47995->47960 47996 46a190 RaiseException 47995->47996 47997 41c537 47996->47997 47998 46a190 RaiseException 47997->47998 47999 41c57e 47998->47999 48000 46a190 RaiseException 47999->48000 48001 41c5a1 48000->48001 48001->47960 48002 46a190 RaiseException 48001->48002 48003 41c601 48002->48003 48004 46a190 RaiseException 48003->48004 48005 41c65d 48004->48005 48006 46a2d0 RaiseException 48005->48006 48007 41c66b 48006->48007 48008 46a190 RaiseException 48007->48008 48009 41c6e5 48008->48009 48010 46a190 RaiseException 48009->48010 48011 41c72c 48010->48011 48012 46a190 RaiseException 48011->48012 48013 41c74f 48012->48013 48014 46a2d0 RaiseException 48013->48014 48014->47960 48016 41e81e 48015->48016 48017 4655d0 3 API calls 48016->48017 48018 41e838 48017->48018 48019 41d840 51 API calls 48018->48019 48020 41e84f 48019->48020 48021 41e872 48020->48021 48022 41e865 Sleep 48020->48022 48021->47692 48022->48021 48022->48022 48024 45f2eb OutputDebugStringA 48023->48024 48025 46a451 48023->48025 48024->47699 48026 4de42b Concurrency::cancel_current_task RaiseException 48025->48026 48027 46a497 48026->48027 48029 41e9fe 48028->48029 48030 4655d0 3 API calls 48029->48030 48031 41ea18 48030->48031 48032 41d840 51 API calls 48031->48032 48033 41ea2f 48032->48033 48034 41ea52 48033->48034 48035 41ea45 Sleep 48033->48035 48034->47769 48035->48034 48035->48035 48037 41e77e 48036->48037 48038 4655d0 3 API calls 48037->48038 48039 41e798 48038->48039 48040 41d840 51 API calls 48039->48040 48041 41e7af 48040->48041 48042 41e7d2 48041->48042 48043 41e7c5 Sleep 48041->48043 48044 41e890 48042->48044 48043->48042 48043->48043 48045 41e8be 48044->48045 48046 4655d0 3 API calls 48045->48046 48047 41e8d8 48046->48047 48048 41d840 51 API calls 48047->48048 48050 41e8ef 48048->48050 48049 41e912 48053 41e930 48049->48053 48050->48049 48051 41e8ff 48050->48051 48052 41e905 Sleep 48051->48052 48052->48049 48052->48052 48054 41e95e 48053->48054 48055 4655d0 3 API calls 48054->48055 48056 41e978 48055->48056 48057 41d840 51 API calls 48056->48057 48058 41e98f 48057->48058 48059 41e9b2 48058->48059 48060 41e9a5 Sleep 48058->48060 48061 44c160 48059->48061 48060->48059 48060->48060 48062 44c1aa 48061->48062 48487 41f220 48062->48487 48064 44c261 48065 41f220 3 API calls 48064->48065 48066 44c36a 48065->48066 48067 41f220 3 API calls 48066->48067 48068 44c45a 48067->48068 48069 41f220 3 API calls 48068->48069 48070 44c53e 48069->48070 48071 41f220 3 API calls 48070->48071 48072 44c61a 48071->48072 48073 41f220 3 API calls 48072->48073 48074 44c707 48073->48074 48075 41f220 3 API calls 48074->48075 48076 44c7e7 48075->48076 48077 41f220 3 API calls 48076->48077 48078 44c8ca 48077->48078 48079 41f220 3 API calls 48078->48079 48080 44c9ae 48079->48080 48081 41f220 3 API calls 48080->48081 48082 44cab2 48081->48082 48083 41f220 3 API calls 48082->48083 48084 44cbaa 48083->48084 48085 41f220 3 API calls 48084->48085 48086 44cc9a 48085->48086 48087 41f220 3 API calls 48086->48087 48088 44cdad 48087->48088 48089 41f220 3 API calls 48088->48089 48090 44ce87 48089->48090 48091 41f220 3 API calls 48090->48091 48092 44cf87 48091->48092 48093 41f220 3 API calls 48092->48093 48094 44d03f 48093->48094 48095 41f220 3 API calls 48094->48095 48096 44d11e 48095->48096 48097 41f220 3 API calls 48096->48097 48098 44d201 48097->48098 48099 41f220 3 API calls 48098->48099 48100 44d2fa 48099->48100 48101 41f220 3 API calls 48100->48101 48102 44d3cf 48101->48102 48103 41f220 3 API calls 48102->48103 48104 44d4c1 48103->48104 48105 41f220 3 API calls 48104->48105 48106 44d59e 48105->48106 48107 41f220 3 API calls 48106->48107 48108 44d681 48107->48108 48109 41f220 3 API calls 48108->48109 48110 44d75e 48109->48110 48111 41f220 3 API calls 48110->48111 48112 44d85a 48111->48112 48113 41f220 3 API calls 48112->48113 48114 44d94a 48113->48114 48115 41f220 3 API calls 48114->48115 48116 44da4b 48115->48116 48117 41f220 3 API calls 48116->48117 48118 44db5e 48117->48118 48119 41f220 3 API calls 48118->48119 48120 44dc40 48119->48120 48121 41f220 3 API calls 48120->48121 48122 44dd2a 48121->48122 48123 41f220 3 API calls 48122->48123 48124 44de0a 48123->48124 48125 41f220 3 API calls 48124->48125 48126 44defa 48125->48126 48127 41f220 3 API calls 48126->48127 48128 44dfda 48127->48128 48129 41f220 3 API calls 48128->48129 48130 44e0ca 48129->48130 48131 41f220 3 API calls 48130->48131 48132 44e197 48131->48132 48133 41f220 3 API calls 48132->48133 48134 44e27a 48133->48134 48135 41f220 3 API calls 48134->48135 48136 44e38a 48135->48136 48137 41f220 3 API calls 48136->48137 48138 44e47a 48137->48138 48139 41f220 3 API calls 48138->48139 48140 44e55a 48139->48140 48141 41f220 3 API calls 48140->48141 48142 44e651 48141->48142 48143 41f220 3 API calls 48142->48143 48144 44e73a 48143->48144 48145 41f220 3 API calls 48144->48145 48146 44e81c 48145->48146 48147 41f220 3 API calls 48146->48147 48148 44e8ea 48147->48148 48149 41f220 3 API calls 48148->48149 48150 44eacd 48149->48150 48151 41f220 3 API calls 48150->48151 48152 44eb75 48151->48152 48152->47714 48154 43c813 LoadLibraryA 48153->48154 48155 43ca57 48153->48155 48154->48155 48157 43c85b GetProcAddress 48154->48157 48155->47724 48159 43c8b1 48157->48159 48159->48159 48160 43c8be GetProcAddress 48159->48160 48161 43c8f0 48160->48161 48161->48161 48192 43cacf 48174->48192 48175 43dcb0 48177 43dd8d 48191 43dcda 48192->48175 48192->48177 48192->48191 48193 46a190 RaiseException 48192->48193 48197 462610 RaiseException 48192->48197 48193->48192 48197->48192 48432 4debe0 48431->48432 48433 40c039 GetWindowsDirectoryA 48432->48433 48434 40c056 48433->48434 48436 40c246 48433->48436 48435 40c219 GetVolumeInformationA 48434->48435 48434->48436 48435->48436 48436->47859 48438 40bf5e 48437->48438 48438->47862 48440 4821fd 48439->48440 48441 4655d0 3 API calls 48440->48441 48446 4822cf 48440->48446 48442 48224e 48441->48442 48443 4655d0 3 API calls 48442->48443 48444 482263 48443->48444 48451 482360 48444->48451 48446->47889 48447 482272 48447->48446 48457 481d90 48447->48457 48449 4822b9 48449->48446 48461 481f00 48449->48461 48452 482396 __fread_nolock 48451->48452 48454 48238d 48451->48454 48453 468210 3 API calls 48452->48453 48452->48454 48455 4825bd 48453->48455 48454->48447 48456 468210 3 API calls 48455->48456 48456->48454 48459 481dc3 48457->48459 48458 481eb9 48458->48449 48459->48458 48479 482710 48459->48479 48462 481f26 48461->48462 48483 482860 48462->48483 48464 481f8f 48465 468210 3 API calls 48464->48465 48469 482042 48465->48469 48466 482107 48467 4655d0 3 API calls 48466->48467 48474 482146 48466->48474 48468 48224e 48467->48468 48470 4655d0 3 API calls 48468->48470 48469->48466 48471 468210 3 API calls 48469->48471 48472 482263 48470->48472 48471->48469 48473 482360 3 API calls 48472->48473 48475 482272 48473->48475 48474->48446 48475->48474 48476 481d90 3 API calls 48475->48476 48477 4822b9 48476->48477 48477->48474 48478 481f00 4 API calls 48477->48478 48478->48474 48480 482744 48479->48480 48482 48273c 48479->48482 48481 468210 3 API calls 48480->48481 48480->48482 48481->48482 48482->48458 48484 4828af GetLastError 48483->48484 48486 48288f 48483->48486 48484->48486 48486->48464 48486->48486 48488 4655d0 3 API calls 48487->48488 48489 41f257 48488->48489 48490 4655d0 3 API calls 48489->48490 48491 41f26d 48490->48491 48493 41f282 48491->48493 48494 472630 48491->48494 48493->48064 48495 472694 48494->48495 48505 47270a 48494->48505 48496 4726c2 48495->48496 48497 472841 48495->48497 48499 472720 48495->48499 48500 4726f9 48495->48500 48501 4dc8a2 2 API calls 48496->48501 48507 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 48497->48507 48502 4dc8a2 2 API calls 48499->48502 48499->48505 48500->48496 48500->48497 48501->48505 48502->48505 48503 4de42b Concurrency::cancel_current_task RaiseException 48504 472873 48503->48504 48505->48503 48506 472804 48505->48506 48506->48493 48507->48505 49167 450453 49029->49167 49030 455fa6 49031 4655d0 ___std_exception_copy ___std_exception_copy RaiseException 49032 450486 49031->49032 49032->49031 49033 450577 49032->49033 49034 45061e 49033->49034 49036 450643 49034->49036 49038 455430 49034->49038 49165 42eb90 26 API calls 49165->49167 49167->49030 49167->49032 49167->49165 49689 455fe6 49680->49689 49681 456486 49684 4655d0 ___std_exception_copy ___std_exception_copy RaiseException 49684->49689 49686 46a190 RaiseException 49686->49689 49687 4628f0 ___std_exception_copy ___std_exception_copy RaiseException 49687->49689 49689->49681 49689->49684 49689->49686 49689->49687 49922 434b20 49689->49922 49956 4378a0 49689->49956 49981 438770 49689->49981 50007 439a80 49689->50007 50014 43b750 49689->50014 49923 434b42 49922->49923 49923->49923 49924 46a190 RaiseException 49923->49924 49925 434bcd 49924->49925 49957 4378c2 49956->49957 49957->49957 49958 46a190 RaiseException 49957->49958 49959 43794c 49958->49959 49982 438792 49981->49982 49982->49982 49983 46a190 RaiseException 49982->49983 50008 439aa2 50007->50008 50008->50008 50009 46a190 RaiseException 50008->50009 50010 439b34 50009->50010 50015 43b772 50014->50015 50015->50015 50016 46a190 RaiseException 50015->50016 50017 43b7fd 50016->50017 50933 4a40ab 50934 4a40c8 50933->50934 50936 4a15c6 50933->50936 50935 498900 10 API calls 50934->50935 50935->50936 50960 4202aa 50961 4202b8 50960->50961 50962 473140 3 API calls 50961->50962 50963 420327 50961->50963 50965 42229b 50961->50965 50962->50963 50964 40b110 22 API calls 50963->50964 50963->50965 50967 420404 50964->50967 50966 4de42b Concurrency::cancel_current_task RaiseException 50965->50966 50970 422304 50966->50970 50968 40b110 22 API calls 50967->50968 50969 420479 50967->50969 50968->50969 50969->50965 50971 40ab40 38 API calls 50969->50971 50972 4de42b Concurrency::cancel_current_task RaiseException 50970->50972 50974 420578 50971->50974 50973 422359 50972->50973 50975 46a630 25 API calls 50974->50975 51000 42075f __fread_nolock 50974->51000 50976 420613 50975->50976 50977 46a190 RaiseException 50976->50977 50978 420651 50977->50978 50979 46a190 RaiseException 50978->50979 50978->51000 50980 420691 50979->50980 50981 46a190 RaiseException 50980->50981 50983 4206d1 50981->50983 50982 42220f 50984 46a190 RaiseException 50983->50984 50983->51000 50985 420711 50984->50985 50986 46a190 RaiseException 50985->50986 50987 420751 50986->50987 50988 46a2d0 RaiseException 50987->50988 50988->51000 50989 40ab40 38 API calls 50989->51000 50990 40b110 22 API calls 50990->51000 50991 46a630 25 API calls 50991->51000 50992 4c3160 10 API calls 50992->51000 50993 46a2d0 RaiseException 50993->51000 50994 4144e0 16 API calls 50994->51000 50995 4a0800 10 API calls 50995->51000 50996 402f50 ___std_exception_copy ___std_exception_copy RaiseException 50996->51000 50997 4dc8a2 2 API calls 50997->51000 50998 4655d0 ___std_exception_copy ___std_exception_copy RaiseException 50998->51000 50999 46a190 RaiseException 50999->51000 51000->50965 51000->50970 51000->50982 51000->50989 51000->50990 51000->50991 51000->50992 51000->50993 51000->50994 51000->50995 51000->50996 51000->50997 51000->50998 51000->50999 51001 462610 RaiseException 51000->51001 51001->51000 51002 4a46a2 51003 4a46b7 51002->51003 51007 4a4750 51003->51007 51008 4983e0 51003->51008 51005 4a46f5 51006 498900 10 API calls 51005->51006 51005->51007 51006->51007 51010 4983fd 51008->51010 51009 498555 51009->51005 51010->51009 51018 49846f 51010->51018 51020 496080 51010->51020 51011 48db50 2 API calls 51012 498539 51011->51012 51014 48db50 2 API calls 51012->51014 51016 498542 51014->51016 51015 498457 51015->51018 51038 4959b0 51015->51038 51016->51005 51018->51011 51019 498504 51018->51019 51019->51005 51026 4960b4 51020->51026 51021 496144 51022 496436 51021->51022 51031 496172 __fread_nolock 51021->51031 51024 48db50 2 API calls 51022->51024 51023 49643c 51023->51015 51024->51023 51025 49620b 51034 49624e 51025->51034 51043 491c30 51025->51043 51067 491d10 51025->51067 51026->51021 51026->51023 51026->51026 51027 49612d 51026->51027 51028 48db50 2 API calls 51027->51028 51029 496138 51028->51029 51029->51015 51030 48db50 2 API calls 51032 49642a 51030->51032 51031->51025 51033 48db50 2 API calls 51031->51033 51032->51015 51033->51025 51034->51030 51035 496306 51034->51035 51035->51015 51039 4959c6 51038->51039 51040 4959f3 51039->51040 51042 491300 4 API calls 51039->51042 51040->51018 51041 4959e1 51041->51018 51042->51041 51048 491c4c 51043->51048 51044 491c7a 51044->51034 51045 491d2e CreateFileA 51047 491d34 51045->51047 51046 491d26 CreateFileW 51046->51047 51049 491d3b 51047->51049 51050 491d7a 51047->51050 51048->51044 51048->51045 51048->51046 51051 4eaec6 __freea 2 API calls 51049->51051 51093 492080 51050->51093 51053 491d44 51051->51053 51054 491d6e 51053->51054 51056 491c30 7 API calls 51053->51056 51054->51034 51055 491ea0 51058 4eaec6 __freea 2 API calls 51055->51058 51057 491d64 51056->51057 51057->51034 51058->51044 51059 491dcc 51059->51055 51064 491e64 51059->51064 51066 491e20 GetDiskFreeSpaceW 51059->51066 51060 491e81 GetDiskFreeSpaceA 51062 491e98 51060->51062 51065 4eaec6 __freea 2 API calls 51062->51065 51063 491e7c 51063->51060 51064->51060 51064->51063 51065->51055 51066->51062 51068 491d19 51067->51068 51069 491d3d 51067->51069 51070 491d2e CreateFileA 51068->51070 51071 491d26 CreateFileW 51068->51071 51072 4eaec6 __freea 2 API calls 51069->51072 51075 491d44 51069->51075 51073 491d34 51070->51073 51071->51073 51072->51075 51077 491d3b 51073->51077 51078 491d7a 51073->51078 51074 491d6e 51074->51034 51075->51074 51076 491c30 11 API calls 51075->51076 51079 491d64 51076->51079 51080 4eaec6 __freea 2 API calls 51077->51080 51081 492080 7 API calls 51078->51081 51079->51034 51080->51075 51086 491dcc 51081->51086 51082 491ea0 51083 4eaec6 __freea 2 API calls 51082->51083 51084 491ebe 51083->51084 51084->51034 51085 491e81 GetDiskFreeSpaceA 51088 491e98 51085->51088 51086->51082 51090 491e64 51086->51090 51092 491e20 GetDiskFreeSpaceW 51086->51092 51091 4eaec6 __freea 2 API calls 51088->51091 51089 491e7c 51089->51085 51090->51085 51090->51089 51091->51082 51092->51088 51094 492094 51093->51094 51095 4920ca 51094->51095 51096 4920a0 GetVersionExA 51094->51096 51097 49210f GetFullPathNameA 51095->51097 51098 4920d6 GetFullPathNameW 51095->51098 51096->51095 51099 49211e 51097->51099 51100 4920e8 51098->51100 51101 49213c GetFullPathNameA 51099->51101 51102 492127 51099->51102 51100->51102 51103 4920f1 GetFullPathNameW 51100->51103 51105 4eaec6 __freea 2 API calls 51101->51105 51104 4eaec6 __freea 2 API calls 51102->51104 51106 4eaec6 __freea 2 API calls 51103->51106 51107 49212d 51104->51107 51108 492102 51105->51108 51106->51108 51107->51059 51109 4eaec6 __freea 2 API calls 51108->51109 51110 49215f 51109->51110 51110->51107 51111 4eaec6 __freea 2 API calls 51110->51111 51112 492180 51111->51112 51112->51059 51118 4a5bba 51119 4a5be0 51118->51119 51121 4a15c6 51118->51121 51120 499230 6 API calls 51119->51120 51119->51121 51120->51121 51180 4f3eb8 51181 4f3ece 51180->51181 51183 4f3ef7 51181->51183 51184 4ebee3 51181->51184 51187 4eb88b 51184->51187 51186 4ebefe 51186->51183 51188 4eb897 51187->51188 51190 4eb89e 51188->51190 51191 4ebe75 51188->51191 51190->51186 51192 4e63d7 __wsopen_s 5 API calls 51191->51192 51193 4ebe97 51192->51193 51194 4e63ba __wsopen_s 6 API calls 51193->51194 51195 4ebea4 51194->51195 51196 4ebeab 51195->51196 51200 4ebf03 51195->51200 51198 4ebedd 51196->51198 51199 4f4253 __freea 2 API calls 51196->51199 51198->51190 51199->51198 51201 4ebf20 51200->51201 51203 4ebf35 51201->51203 51216 4ebbbc CreateFileW 51201->51216 51203->51196 51204 4ec029 GetFileType 51206 4ec034 GetLastError __dosmaperr CloseHandle 51204->51206 51210 4ec07b 51204->51210 51205 4ebffe GetLastError __dosmaperr 51205->51203 51206->51203 51214 4ec06b 51206->51214 51207 4ebfac 51207->51204 51207->51205 51217 4ebbbc CreateFileW 51207->51217 51209 4ebff1 51209->51204 51209->51205 51210->51203 51211 4ec1a7 CloseHandle 51210->51211 51218 4ebbbc CreateFileW 51211->51218 51213 4ec1d2 51213->51214 51215 4ec1dc GetLastError __dosmaperr 51213->51215 51214->51203 51215->51214 51216->51207 51217->51209 51218->51213 51219 4b3cb0 51221 4b3cd2 __fread_nolock 51219->51221 51223 4b3cdb 51219->51223 51222 4b3e4a 51221->51222 51221->51223 51226 48dd90 51221->51226 51222->51223 51224 48db50 2 API calls 51222->51224 51225 4b3edd 51224->51225 51227 48dda5 51226->51227 51233 48de2b 51226->51233 51228 48de8e 51227->51228 51229 48dda9 51227->51229 51232 48de1d __fread_nolock 51227->51232 51230 48de97 51228->51230 51236 48dc20 51228->51236 51229->51222 51230->51222 51232->51233 51234 48db50 2 API calls 51232->51234 51233->51222 51235 48de84 51234->51235 51235->51222 51237 48dc44 51236->51237 51238 48dc34 51236->51238 51239 48db50 2 API calls 51237->51239 51240 48dc4e 51237->51240 51238->51233 51239->51240 51240->51233

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 00442940 Relevance: 218.3, APIs: 40, Strings: 83, Instructions: 3075fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00442C53
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442CAF
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004434EF
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443639
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004436EF
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044383A
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004438D6
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443A09
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443AA4
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443BFE
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443C97
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443ED8
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444039
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00444292
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00000000), ref: 00444416
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044483E
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444898
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444A1E
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444CE4
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00444E4E
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444B76
                                                                                                                                                                    • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                    • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00445C65
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00445CC0
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044337F
                                                                                                                                                                    • Part of subcall function 0040E7B0: FindFirstFileA.KERNEL32(00000000,7F7A790F,?,7F7A790E,00445E27,00000000,7F7A790E,7F7A790F,74DF3100,?), ref: 0040E929
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442CE0
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442E08
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442E37
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00442F2F
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443029
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443087
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004431B8
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044324A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory$File$Copy$Cpp_errorFolderPathThrow_std::_$AttributesErrorFindFirstLast
                                                                                                                                                                  • String ID: 1,)$ghi$! 2;$!#7)$!'14;y=!?$"83<$";=w$";=w$"?=+$#9;1$$'4<$%1$%26>$&+$&2$)u$0$)u$0$)u(%$)u6.$*$+$.$.4.<$.4.<$.4.<$0(33$0(33$0+$0>?$0>?$0>?$0>?w$0>?w$11$1<:3$1>6$2$2$315$315$3$$34*8$3:$3>2)$3y<8$4(r)$4>($4>($61$6:$6:$759*$759*$759*$7:$7;x$7;x$7;x$864$864$9"6-$9"6-$9"6-$9"6-$9"6-$9:$9:$9:$;26-$</$?($?($?($?)$?)/$?0$_$k$t224$w Y_[]$|';-$|76$|::<
                                                                                                                                                                  • API String ID: 2574188035-1442773133
                                                                                                                                                                  • Opcode ID: 84ae1c63d6033ff848180c2086d45f63427aa1eaa9acf33f2040efccea7c3d40
                                                                                                                                                                  • Instruction ID: 381145703412e6fb88b60a60e01735f5d7b95eb576607faa1d3520efd2827bc4
                                                                                                                                                                  • Opcode Fuzzy Hash: 84ae1c63d6033ff848180c2086d45f63427aa1eaa9acf33f2040efccea7c3d40
                                                                                                                                                                  • Instruction Fuzzy Hash: 56639E70C04298DADB21EB65CD557DEBBB4AF21308F4441DAD449772C2EBB81B88CF96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041AB90 Relevance: 218.0, Strings: 173, Instructions: 1711COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 2715 41ab90-41ac4c call 402d90 call 402d00 call 402d90 call 402d00 call 402d90 call 402d00 2728 41b492-41b49d call 4654b0 2715->2728 2729 41ac52-41ad6b call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 462420 call 402d90 2715->2729 2733 41b4a2-41b4a9 2728->2733 2836 41ad70-41ad75 2729->2836 2735 41c7d9-41c7e0 2733->2735 2736 41b4af-41b645 call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 4619a0 call 469e70 call 482190 2733->2736 2739 41c7e2-41c804 call 4622b0 call 4650c0 2735->2739 2740 41c80a-41c871 call 4655d0 call 467df0 call 407d90 call 4655d0 call 41d840 2735->2740 2859 41b64a-41b64f 2736->2859 2739->2740 2757 41ce08-41ce0f 2739->2757 2792 41cc43-41cc81 call 4655d0 call 402af0 2740->2792 2793 41c877-41c87e 2740->2793 2762 41ce11-41ce22 call 4654b0 2757->2762 2763 41ce24-41ce41 call 4622e0 2757->2763 2777 41ce5c-41ce63 2762->2777 2778 41ce44-41ce49 2763->2778 2784 41ce65-41ce7a call 4622b0 2777->2784 2785 41ce99-41cea0 2777->2785 2778->2778 2782 41ce4b-41ce57 call 465330 2778->2782 2782->2777 2802 41ce80-41ce85 2784->2802 2788 41cea2-41cebf call 4622e0 2785->2788 2789 41cedb-41cf7a call 4655d0 * 2 call 402af0 * 3 2785->2789 2811 41cec2-41cec7 2788->2811 2829 41cc87-41ccc4 call 46a630 2792->2829 2830 41cddd-41ce04 call 402af0 2792->2830 2793->2792 2800 41c884-41c88d GetPEB 2793->2800 2808 41c890-41c8a4 2800->2808 2802->2802 2809 41ce87-41ce94 call 465330 2802->2809 2815 41c8f7-41c8f9 2808->2815 2816 41c8a6-41c8ab 2808->2816 2809->2785 2811->2811 2820 41cec9-41ced6 call 465330 2811->2820 2815->2808 2816->2815 2817 41c8ad-41c8b3 2816->2817 2824 41c8b5-41c8c7 2817->2824 2820->2789 2834 41c8f0-41c8f5 2824->2834 2835 41c8c9 2824->2835 2845 41cdc8-41cdd8 call 466ee0 2829->2845 2846 41ccca-41cd1e call 4622e0 call 46a190 call 46a2d0 2829->2846 2830->2757 2834->2815 2834->2824 2841 41c8d0-41c8e2 2835->2841 2836->2836 2842 41ad77-41ada0 call 402d00 call 482190 2836->2842 2841->2841 2847 41c8e4-41c8ea 2841->2847 2868 41af30-41af66 call 402af0 2842->2868 2869 41ada6-41ade7 call 46a630 2842->2869 2845->2830 2886 41cd20-41cd2e call 402af0 call 402c90 2846->2886 2887 41cd33-41cd93 call 402af0 call 462310 call 46a190 call 46a2d0 2846->2887 2847->2834 2852 41cc19-41cc3d 2847->2852 2852->2792 2852->2800 2860 41b655-41b696 call 46a630 2859->2860 2861 41b98a-41b9c0 call 402af0 2859->2861 2876 41b975-41b985 call 466ee0 2860->2876 2877 41b69c-41b6cc call 462310 call 46a190 2860->2877 2879 41b9c2-41b9c9 2861->2879 2880 41b9f7-41bbb0 call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 461910 call 469e70 call 482190 2861->2880 2868->2736 2882 41af6c-41b121 call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 461cd0 call 402d90 2868->2882 2889 41af1b-41af2b call 466ee0 2869->2889 2890 41aded-41ae15 call 4622b0 call 46a190 2869->2890 2876->2861 2877->2876 2917 41b6d2-41b757 call 462310 call 46a190 call 4622e0 call 46a190 2877->2917 2879->2880 2888 41b9cb-41b9f1 call 4622b0 call 402940 2879->2888 3034 41bff1-41c019 call 402af0 2880->3034 3035 41bbb6-41bbf7 call 46a630 2880->3035 3025 41b124-41b129 2882->3025 2886->2887 2947 41cd95-41cda3 call 402af0 call 402c90 2887->2947 2948 41cda8-41cdc4 call 402af0 2887->2948 2888->2880 2920 41c020-41c027 2888->2920 2889->2868 2890->2889 2921 41ae1b-41aeae call 4622b0 call 46a190 call 46a2d0 call 4654e0 call 402af0 call 4622b0 call 46a190 2890->2921 2977 41b825-41b8a7 call 462310 call 46a190 call 462310 call 46a190 2917->2977 2978 41b75d-41b821 call 462310 call 46a190 call 4622e0 call 46a190 call 46a2d0 call 4654e0 call 402af0 2917->2978 2927 41c029-41c030 2920->2927 2928 41c05a-41c23f call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 4618e0 call 402d90 2920->2928 2921->2889 3018 41aeb0-41af17 call 4622b0 call 46a190 call 46a2d0 call 4654e0 call 402af0 2921->3018 2927->2928 2934 41c032-41c054 call 4622b0 call 4650c0 2927->2934 3065 41c240-41c245 2928->3065 2934->2735 2934->2928 2947->2948 2948->2845 2977->2876 3032 41b8ad-41b971 call 462310 call 46a190 call 462310 call 46a190 call 46a2d0 call 4654e0 call 402af0 2977->3032 2978->2977 3018->2889 3025->3025 3031 41b12b-41b154 call 402d00 call 482190 3025->3031 3067 41b24b-41b27a call 402af0 3031->3067 3068 41b15a-41b19b call 46a630 3031->3068 3032->2876 3034->2920 3056 41bbfd-41bc5e call 462150 call 46a190 3035->3056 3057 41bfdc-41bfec call 466ee0 3035->3057 3056->3057 3087 41bc64-41bd36 call 462150 call 46a190 call 462240 call 46a190 3056->3087 3057->3034 3065->3065 3073 41c247-41c270 call 402d00 call 482190 3065->3073 3067->2733 3084 41b1a1-41b1c9 call 4622b0 call 46a190 3068->3084 3085 41b236-41b246 call 466ee0 3068->3085 3102 41c276-41c2b7 call 46a630 3073->3102 3103 41c7aa-41c7d2 call 402af0 3073->3103 3084->3085 3109 41b1cb-41b232 call 4622b0 call 46a190 call 46a2d0 call 4654e0 call 402af0 3084->3109 3085->3067 3127 41be51-41bef2 call 462150 call 46a190 call 462310 call 46a190 3087->3127 3128 41bd3c-41be4d call 462150 call 46a190 call 462240 call 46a190 call 46a2d0 call 4654e0 call 402af0 3087->3128 3117 41c795-41c7a5 call 466ee0 3102->3117 3118 41c2bd-41c317 call 4622e0 call 46a190 3102->3118 3103->2735 3109->3085 3117->3103 3118->3117 3134 41c31d-41c377 call 4622e0 call 46a190 3118->3134 3127->3057 3160 41bef8-41bfd8 call 462150 call 46a190 call 462310 call 46a190 call 46a2d0 call 4654e0 call 402af0 3127->3160 3128->3127 3134->3117 3156 41c37d-41c433 call 4622e0 call 46a190 call 462150 call 46a190 3134->3156 3156->3117 3181 41c439-41c4ef call 4622e0 call 46a190 call 462150 call 46a190 3156->3181 3160->3057 3181->3117 3197 41c4f5-41c5a4 call 462310 call 46a190 call 462510 call 46a190 call 4622b0 call 46a190 3181->3197 3197->3117 3210 41c5aa-41c791 call 4622e0 call 46a190 call 462150 call 46a190 call 46a2d0 call 4654e0 call 402af0 call 462310 call 46a190 call 462510 call 46a190 call 4622b0 call 46a190 call 46a2d0 call 4654e0 call 402af0 3197->3210 3210->3117
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                  • String ID: $!$!$!$!$"$"$"%!$#$#$#$#$#$$$%$%$%$%$&$)$+$-$0$0$0$0$1$1$1$1$1$1010;#;#$10;#;#$1: ,$1: ,$1: ,$1: ,$1: ,$1: ,$1: ,$1<!;$1<!;"%!$1<!;"%!$1<!;"%!$1<!;"%!$1<!;"%!$1<!;"%!$1<!;"%!$3$3$3$3$3#={;.1)t830q$4$4$5$5$5$5$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$62 4$62 4$62 4$62 4$62 4$7$7$7$8$8$8$8$8$9$9$9$9$9$9$9$9$9$9$9$9$9 6$:$:$:$:$:$:$;$;$;$;$;$;$;$;$; ;58<<$; ;58<<$; ;58<<$;#$;#;#$<$<$<$<290%$<290%$=$=$=$=$=$=$>$>$>$>$>$?$?$C$Content-Type: application/x-www-form-urlencoded$D$H$H$K$M$N$N$O$T$V$V$Z$[$]$^$b$c$c}e{$gyi$https://ipinfo.io/$https://www.maxmind.com/en/locate-my-ip-address$s$s$t$t$v$v$y$y$y${
                                                                                                                                                                  • API String ID: 667068680-2070094464
                                                                                                                                                                  • Opcode ID: 923cd99838d45b3046f962e919831202ff46d4e597a1e150e1b8529297517397
                                                                                                                                                                  • Instruction ID: bf9710a7a207a8ccf4af3cee12a165b4e35f870af137caed5c9356e2315dafa6
                                                                                                                                                                  • Opcode Fuzzy Hash: 923cd99838d45b3046f962e919831202ff46d4e597a1e150e1b8529297517397
                                                                                                                                                                  • Instruction Fuzzy Hash: EE134D30D08298D9EB22D768C9597DDBFB45F26308F4441DED0887B282D7B90F89DB66
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045EA9C Relevance: 200.4, APIs: 39, Strings: 74, Instructions: 2609threadsleepsynchronizationCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0045EB04
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0045EB19
                                                                                                                                                                  • Sleep.KERNEL32(00000529), ref: 0045EB3A
                                                                                                                                                                  • Sleep.KERNEL32(0000002F), ref: 0045EBAA
                                                                                                                                                                  • shutdown.WS2_32(00000002), ref: 0045EBDA
                                                                                                                                                                  • closesocket.WS2_32 ref: 0045EBE6
                                                                                                                                                                  • WSACleanup.WS2_32 ref: 0045EBEC
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045ECA1
                                                                                                                                                                  • Sleep.KERNELBASE(00000065), ref: 0045EE48
                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?), ref: 0045EEFF
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0045F20A
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0045F212
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 0045F220
                                                                                                                                                                  • OutputDebugStringA.KERNELBASE(#@#^@#TGRERTERYERY,?,?,00000018,0000000A,Function_00002990,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045F234
                                                                                                                                                                  • OutputDebugStringA.KERNELBASE(ewetwertyer eytdryrtdy,00000000,00000000), ref: 0045F2F5
                                                                                                                                                                  • OutputDebugStringA.KERNEL32(td ydrthrhfty,00000000), ref: 0045F4D0
                                                                                                                                                                  • OutputDebugStringA.KERNELBASE(45 hgfch rtdyt gfch,0051D9CA,?,?), ref: 0045FEA5
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,00450430,00000000,00000000,00000000), ref: 0045FED0
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,00455FC0,00000000,00000000,00000000), ref: 0045FEE6
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0051DAE8,00000001,?,?), ref: 0046008D
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_000564A0,00000000,00000000,00000000), ref: 00460280
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00058520,00000000,00000000,00000000), ref: 00460294
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_0005A490,00000000,00000000,00000000), ref: 004602AB
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_0005B4B0,00000000,00000000,00000000), ref: 004602C2
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_0005CAE0,00000000,00000000,00000000), ref: 004602D9
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_0005CC40,00000000,00000000,00000000), ref: 004602ED
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_0005D7B0,00000000,00000000,00000000), ref: 00460301
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000493E0), ref: 004604BE
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000493E0), ref: 0046056B
                                                                                                                                                                  • OutputDebugStringA.KERNELBASE( drthdrthdrthdr hrtd hr,0051D9CA,?,?), ref: 00460FAA
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004607EF
                                                                                                                                                                    • Part of subcall function 00462D20: Concurrency::cancel_current_task.LIBCPMT ref: 00463084
                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 004610D8
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004610ED
                                                                                                                                                                  • Sleep.KERNEL32(00007530), ref: 00461109
                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00461174
                                                                                                                                                                  • Sleep.KERNELBASE(00000BB8,?,?), ref: 004611A9
                                                                                                                                                                  • shutdown.WS2_32(00000002), ref: 004611B3
                                                                                                                                                                  • closesocket.WS2_32 ref: 004611BF
                                                                                                                                                                  • Sleep.KERNEL32(000003E8,?,?), ref: 004611D7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Create$Thread$Sleep$DebugOutputString$ObjectSingleWait$ErrorHandleLastMutexclosesocketshutdown$AddressCleanupCloseConcurrency::cancel_current_taskCurrentModuleProcProcessUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                  • String ID: 95$!(7$#?$$;+$$;+$094$1,)$3+$>00$ drthdrthdrthdr hrtd hr$!?=6$!?=6$#@#^@#TGRERTERYERY$$28 3$$28 3$$28 3$'$' 1$)/3/$.$1$4$45 hgfch rtdyt gfch$5!57$5!57$5!57$5!57$5!57$5!57$5!57$5!57$5!57$6>(.$8$$:$:$<290$<290$<290$>!6:$><3<$><3<8$$?($?>2$?>2$PnE$_Y$_Y$_Y$ewetwertyer eytdryrtdy$h0u$hHBT$hXCT$hhCT$hxCT$jjj$jjj$n1&k$n1&k$n1&k$n1&k$n1&k$n1&k$ntdll.dll$td ydrthrhfty$x345$x345$|)=%$|)=%$0w$3f$S2$[7$wc
                                                                                                                                                                  • API String ID: 2410146291-3778327771
                                                                                                                                                                  • Opcode ID: 77b46a48ab44eab4bccd9757b55f6f36dd584b1fd56f99d5612ab793db1a330f
                                                                                                                                                                  • Instruction ID: b7f19cb37b0b56de54bd6a9fc88ff5451383e5df5d0154206795b38d17b259f9
                                                                                                                                                                  • Opcode Fuzzy Hash: 77b46a48ab44eab4bccd9757b55f6f36dd584b1fd56f99d5612ab793db1a330f
                                                                                                                                                                  • Instruction Fuzzy Hash: E943CF30900258DBCB25DF68C895BEEBBB0AF15308F1441DAD4456B392EB74AF49CF96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00446020 Relevance: 139.6, APIs: 13, Strings: 65, Instructions: 3085registryfilecomCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004485E3
                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?), ref: 004486E2
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 0044870C
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00448973
                                                                                                                                                                  • GetUserNameA.ADVAPI32(?,00000104), ref: 004489A9
                                                                                                                                                                    • Part of subcall function 004160B0: GetModuleHandleA.KERNEL32(3B263619,?), ref: 00416186
                                                                                                                                                                    • Part of subcall function 004160B0: GetProcAddress.KERNEL32(00000000,34312111), ref: 00416191
                                                                                                                                                                    • Part of subcall function 004160B0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004161E1
                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020006), ref: 0044865A
                                                                                                                                                                    • Part of subcall function 00415E30: GetFileAttributesA.KERNELBASE(?,7FFFFFFF), ref: 00415EDC
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004490D9
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,00000007,00000000,00000000,?), ref: 004490F6
                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 004491DD
                                                                                                                                                                  • CoCreateInstance.OLE32(Function_00115570,00000000,00000001,Function_00115540,?), ref: 004491FD
                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00449289
                                                                                                                                                                  • CoUninitialize.OLE32 ref: 004492B9
                                                                                                                                                                  • ShellExecuteA.SHELL32(00000000,=#1;,00000000,00000000,00000000,00000001), ref: 00449327
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$Copy$AttributesCreate$AddressByteCharCloseErrorExecuteFolderHandleInitializeInstanceLastModuleMultiNameOpenPathProcProcessShellUninitializeUserValueWide
                                                                                                                                                                  • String ID: $!0&$".?9$"=3$#>4=$$1'$$;$$wz$$wz$&+ $&39-$'!8$'!8$'!8$'!8$'!8$'!8$02 $0>$$38$4:18$6<7$6<7-$6<94?9$6<94?9$6<94?9$6<94?9$7%3*$7+1$7+1$7:=$8#12$8#3$8wz$8wz$:' %%mwv$;/9/$=#1;$? =$?)$?2&>374;22.$?2&>47,4/.4;,$F/!.$H$I5=I$ps{!$ps{!$ps{!$ps{!$r$r$|$|$|$|$|6,0$|6,0$|6,0$|6,0$|?:>$~$~$~$~$~
                                                                                                                                                                  • API String ID: 28878968-3024362790
                                                                                                                                                                  • Opcode ID: e9beca0d44d6b3e0f7067b99af4fd5410984dd6de7413f022354d57091ea6fdf
                                                                                                                                                                  • Instruction ID: 429461b7d5384cafcc2df35996eafbcc51918cc99cf467c7d99fa79c194b986d
                                                                                                                                                                  • Opcode Fuzzy Hash: e9beca0d44d6b3e0f7067b99af4fd5410984dd6de7413f022354d57091ea6fdf
                                                                                                                                                                  • Instruction Fuzzy Hash: C863AA70D042989ADB25EB64CD55BDEBBB4AF11308F0041DAE449772D2EB781F88CF96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CD50 Relevance: 110.0, APIs: 43, Strings: 19, Instructions: 1490registrytimeprocessCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 5439 40cd50-40cdfa call 4dd950 call 4621b0 call 469d40 call 4622b0 call 465290 call 4e2a50 5452 40ce00-40cf04 call 40af30 call 465290 call 462240 call 402fd0 call 465290 call 462180 call 402fd0 call 4eab9b call 4eb083 call 462150 call 402fd0 call 4622e0 call 402d90 5439->5452 5453 40e3c1-40e43e call 4655d0 call 40ab40 call 40c320 call 4622b0 call 465290 call 4e2a50 5439->5453 5512 40cf07-40cf0c 5452->5512 5479 40e440-40e45c call 465290 call 4ea858 call 4e62d8 5453->5479 5480 40e464-40e51f call 402af0 * 6 5453->5480 5496 40e461 5479->5496 5496->5480 5512->5512 5513 40cf0e-40cf7c call 402d00 call 4624e0 RegOpenKeyExA 5512->5513 5518 40cf82-40cfd4 call 462240 RegQueryValueExA 5513->5518 5519 40d008-40d06e call 465290 call 462180 call 402fd0 call 4622e0 call 402d90 5513->5519 5525 40cfd6-40cfdf 5518->5525 5526 40cffc-40d002 RegCloseKey 5518->5526 5537 40d070-40d075 5519->5537 5528 40cfe0-40cfe5 5525->5528 5526->5519 5528->5528 5529 40cfe7-40cff7 call 465330 5528->5529 5529->5526 5537->5537 5538 40d077-40d0af call 402d00 call 4debe0 GetCurrentHwProfileA 5537->5538 5543 40d0b1-40d0ba 5538->5543 5544 40d0dc-40d325 call 465290 call 462120 call 402fd0 call 40bfc0 call 4622a0 call 40bf20 call 4622a0 * 2 call 469d40 call 469fa0 call 469dd0 call 46d910 call 469dd0 call 46a040 call 402af0 * 7 call 483430 call 465290 call 483210 call 4832e0 5538->5544 5545 40d0c0-40d0c5 5543->5545 5598 40d327-40d348 5544->5598 5599 40d34f-40d42f call 462120 call 402fd0 call 4debe0 GetModuleHandleExA GetModuleFileNameA call 4620f0 call 402fd0 call 465290 call 4621b0 call 402fd0 5544->5599 5545->5545 5547 40d0c7-40d0d7 call 465330 5545->5547 5547->5544 5598->5599 5616 40d431-40d43b call 465290 5599->5616 5617 40d43d 5599->5617 5618 40d442-40d470 call 462150 call 402fd0 5616->5618 5617->5618 5625 40d472-40d47d call 465290 5618->5625 5626 40d47f 5618->5626 5628 40d486-40d48a 5625->5628 5626->5628 5630 40d498 5628->5630 5631 40d48c-40d496 call 465290 5628->5631 5633 40d49d-40d4e4 call 4620c0 call 402fd0 call 461fa0 5630->5633 5631->5633 5641 40d4e6-40d4e8 5633->5641 5642 40d509-40d542 call 402d90 call 402d00 5633->5642 5643 40d4f0-40d504 call 461e80 5641->5643 5651 40d571-40d578 5642->5651 5652 40d544 5642->5652 5649 40d506 5643->5649 5649->5642 5654 40d57a-40d58f call 4622a0 5651->5654 5655 40d5ab-40d662 call 465290 call 4623f0 call 402fd0 call 461e50 RegOpenKeyExA 5651->5655 5653 40d546-40d54c 5652->5653 5657 40d55d-40d56c call 466d00 5653->5657 5658 40d54e-40d55a call 4654b0 5653->5658 5667 40d592-40d597 5654->5667 5676 40d727-40d8e3 call 4debe0 GetComputerNameA call 40cac0 call 465290 call 462450 call 402fd0 call 402af0 call 4debe0 GetUserNameA call 462180 call 402fd0 GetDesktopWindow GetWindowRect call 461e20 call 402fd0 call 4debe0 GetUserDefaultLocaleName 5655->5676 5677 40d668-40d6ba call 462240 RegQueryValueExA 5655->5677 5657->5653 5669 40d56e 5657->5669 5658->5657 5667->5667 5670 40d599-40d5a6 call 465330 5667->5670 5669->5651 5670->5655 5715 40d8e5-40d918 call 461df0 5676->5715 5716 40d91a-40d960 call 461e20 call 4622b0 5676->5716 5683 40d71b-40d721 RegCloseKey 5677->5683 5684 40d6bc-40d6bf 5677->5684 5683->5676 5686 40d6d1-40d6e1 5684->5686 5687 40d6c1-40d6cf 5684->5687 5689 40d6e5-40d718 call 462540 call 4620c0 call 402fd0 5686->5689 5687->5689 5689->5683 5721 40d963-40d9e4 call 402fd0 call 461dc0 call 4622b0 call 402fd0 call 4debe0 GetKeyboardLayoutList LocalAlloc 5715->5721 5716->5721 5734 40da91-40dc8c GetLocalTime call 461d90 call 402fd0 GetSystemTime call 4debe0 GetTimeZoneInformation TzSpecificLocalTimeToSystemTime call 4623c0 call 402fd0 call 461d60 call 4622b0 call 402fd0 call 4624b0 RegOpenKeyExA 5721->5734 5735 40d9ea-40d9f7 GetKeyboardLayoutList 5721->5735 5768 40dc92-40dce1 call 461d30 RegQueryValueExA 5734->5768 5769 40dd1a-40dd85 GetSystemInfo call 462180 call 402fd0 GlobalMemoryStatusEx 5734->5769 5737 40da88-40da8b LocalFree 5735->5737 5738 40d9fd 5735->5738 5737->5734 5740 40da00-40da1e GetLocaleInfoA 5738->5740 5742 40da20-40da39 call 4622b0 5740->5742 5743 40da3b-40da5b call 462510 5740->5743 5751 40da5e-40da82 call 402fd0 call 4debe0 5742->5751 5743->5751 5751->5737 5751->5740 5775 40dce3-40dd0b call 462180 call 402fd0 5768->5775 5776 40dd0e-40dd14 RegCloseKey 5768->5776 5779 40dd87-40ddc9 call 4620f0 call 402fd0 5769->5779 5780 40ddcc-40de29 call 464480 call 464270 call 4debe0 EnumDisplayDevicesA 5769->5780 5775->5776 5776->5769 5779->5780 5794 40e007-40e056 call 462180 call 4622b0 call 402fd0 CreateToolhelp32Snapshot 5780->5794 5795 40de2f 5780->5795 5815 40e0d3-40e189 call 461d60 call 4622b0 call 402fd0 call 461d00 RegOpenKeyExA 5794->5815 5816 40e05c-40e06c Process32First 5794->5816 5796 40de30-40de51 5795->5796 5798 40df07-40df6e call 461d30 call 402fd0 call 402d90 5796->5798 5799 40de57-40de5f 5796->5799 5823 40df71-40df76 5798->5823 5802 40de64-40de79 call 402d90 5799->5802 5811 40de80-40de85 5802->5811 5811->5811 5814 40de87-40ded3 call 402d00 call 46d8e0 call 402af0 5811->5814 5844 40ded9-40df01 5814->5844 5845 40dfbc 5814->5845 5851 40e31d-40e31e call 4e62d8 5815->5851 5852 40e18f 5815->5852 5820 40e0cc-40e0cd CloseHandle 5816->5820 5821 40e06e-40e07e Process32Next 5816->5821 5820->5815 5821->5820 5825 40e080-40e0b2 call 462480 call 402fd0 5821->5825 5823->5823 5827 40df78-40dfba call 402d00 call 46b6b0 call 402af0 5823->5827 5841 40e0b7-40e0ca Process32Next 5825->5841 5849 40dfbf-40e001 call 4debe0 EnumDisplayDevicesA 5827->5849 5841->5820 5841->5825 5844->5798 5848 40de61 5844->5848 5845->5849 5848->5802 5849->5794 5849->5796 5857 40e323-40e3bd call 4678c0 call 402af0 call 40e760 call 402af0 * 3 5851->5857 5855 40e191-40e1bd RegEnumKeyExA 5852->5855 5858 40e1c3-40e220 call 462510 wsprintfA RegOpenKeyExA 5855->5858 5859 40e308-40e30b 5855->5859 5857->5453 5866 40e305 5858->5866 5867 40e226-40e275 call 462240 RegQueryValueExA 5858->5867 5859->5855 5862 40e311-40e317 RegCloseKey 5859->5862 5862->5851 5866->5859 5872 40e27b-40e2bf call 461d60 RegQueryValueExA 5867->5872 5873 40e2fc-40e2ff RegCloseKey 5867->5873 5872->5873 5879 40e2c1-40e2f9 call 462480 call 402fd0 5872->5879 5873->5866 5879->5873
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040AF30: GetCurrentProcess.KERNEL32(00000000,?,?,0040C4BE), ref: 0040AF3F
                                                                                                                                                                    • Part of subcall function 0040AF30: IsWow64Process.KERNEL32(00000000,?,0040C4BE), ref: 0040AF46
                                                                                                                                                                    • Part of subcall function 004EAB9B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000000,00000000,?,00403276,00000000,0045DC3C,00000000), ref: 004EABB0
                                                                                                                                                                    • Part of subcall function 004EAB9B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EABCF
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,3B3F3D07,00000000), ref: 0040CF74
                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(00000000,3D37321F,00000000,00020019,?,00000400), ref: 0040CFCC
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040D002
                                                                                                                                                                  • GetCurrentHwProfileA.ADVAPI32(?), ref: 0040D0A7
                                                                                                                                                                  • GetModuleHandleExA.KERNEL32(00000004,Function_0000BD20,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040D3A8
                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,00000000,00000000), ref: 0040D3BD
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,3B3F3D07,00000000), ref: 0040D65A
                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(00000000,313B2102,00000000,00020019,?,00000400), ref: 0040D6B2
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040D721
                                                                                                                                                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0040D755
                                                                                                                                                                  • GetUserNameA.ADVAPI32(?,00000104), ref: 0040D80F
                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 0040D840
                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0040D84E
                                                                                                                                                                  • GetUserDefaultLocaleName.KERNEL32(?,00000200), ref: 0040D8CD
                                                                                                                                                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0040D9CA
                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040), ref: 0040D9D9
                                                                                                                                                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 0040D9EE
                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0040DA16
                                                                                                                                                                  • LocalFree.KERNEL32(3B3F3D07), ref: 0040DA8B
                                                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0040DAA2
                                                                                                                                                                  • GetSystemTime.KERNEL32(?), ref: 0040DB30
                                                                                                                                                                  • GetTimeZoneInformation.KERNELBASE(?), ref: 0040DB53
                                                                                                                                                                  • TzSpecificLocalTimeToSystemTime.KERNELBASE(?,?,?), ref: 0040DB78
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,00000000), ref: 0040DC84
                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(00000000,?,00000000,00020019,?,00000400), ref: 0040DCD9
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040DD14
                                                                                                                                                                  • GetSystemInfo.KERNELBASE(?), ref: 0040DD3C
                                                                                                                                                                  • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040DD7D
                                                                                                                                                                  • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 0040DE21
                                                                                                                                                                  • EnumDisplayDevicesA.USER32(00000000,00000001,?,00000001), ref: 0040DFF9
                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E04C
                                                                                                                                                                  • Process32First.KERNEL32(00000000,00000128), ref: 0040E064
                                                                                                                                                                  • Process32Next.KERNEL32(00000000,00000128), ref: 0040E076
                                                                                                                                                                  • Process32Next.KERNEL32(00000000,?), ref: 0040E0C2
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E0CD
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 0040E181
                                                                                                                                                                  • RegEnumKeyExA.KERNELBASE(00000000,00000000,?,01002077,00000000,00000000,00000000,00000000), ref: 0040E1B2
                                                                                                                                                                  • wsprintfA.USER32 ref: 0040E1F8
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,01002077), ref: 0040E218
                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(01002077,25273A16,00000000,000F003F,?,00000400), ref: 0040E26D
                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(01002077,25273A16,00000000,000F003F,?,00000400), ref: 0040E2B7
                                                                                                                                                                  • RegCloseKey.ADVAPI32(01002077), ref: 0040E2FF
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040E317
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Time$Close$OpenQueryValue$LocalNameSystem$EnumProcess32$CurrentDevicesDisplayFileHandleInfoKeyboardLayoutListLocaleModuleNextProcessUserWindow$AllocComputerCreateDefaultDesktopFirstFreeGlobalInformationMemoryProfileRectSnapshotSpecificStatusToolhelp32Unothrow_t@std@@@Wow64Zone__ehfuncinfo$??2@wsprintf
                                                                                                                                                                  • String ID: ^E$"O$%1$%1$*`f$11$2mx|$91,.$;)9$;69$;69$?$?)/4$@$@$P$b$lw}*$r|tps$US9 6
                                                                                                                                                                  • API String ID: 3690012277-3366278946
                                                                                                                                                                  • Opcode ID: edaf7777c747bf334e1ba9b5ac52c2c07ead8a52947743ebef3e72c5c92dc61f
                                                                                                                                                                  • Instruction ID: 7bd027b0dfb8d2919de4826a5c8300a61b342aa26dd66dfc15b9c1e4c8c75cd4
                                                                                                                                                                  • Opcode Fuzzy Hash: edaf7777c747bf334e1ba9b5ac52c2c07ead8a52947743ebef3e72c5c92dc61f
                                                                                                                                                                  • Instruction Fuzzy Hash: 53E28E71C0025DDADB11DBA0CC45BEEB7B8BF15308F00419AE549B7292EBB81B89CF65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00434B20 Relevance: 109.6, APIs: 6, Strings: 55, Instructions: 2842stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00434C41
                                                                                                                                                                  • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00434CE6
                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,3D203202,00000000,?,00000104,?), ref: 00434DB6
                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00437778
                                                                                                                                                                    • Part of subcall function 0040AB40: __fread_nolock.LIBCMT ref: 0040AC3C
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,3421020E,?,00000000,3421020E,3421020F,?,?,><3<8$,><3<8$,00000000), ref: 00436806
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00436B77
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectoryPrivateProfile$FolderNamesPathSectionString__fread_nolocklstrlen
                                                                                                                                                                  • String ID: 1$"!;3?;=$"!;3?;=$"2'&!8*=$"2'&!8*=$"nv=$"nv=$"nv=$"ov=$"ov=$"ov=$%1$%1$%1$%1$'!8$'!8$'!8$*,$0(33$0>4<$16&!ny<;$16&!oy<;$3$4<&8$4<&8$4<&8$8$8$8$8$8$8$8#-4$96-ax3:$96-fx3:$:<'!865<$><3<8$><3<8$$><3<8$$><3<8$$><3<8$$><3<8$$?9+w$?;=$\$\$_$by<;$by<;$by<;$cannot use operator[] with a string argument with $ey<;$ey<;$ey<;
                                                                                                                                                                  • API String ID: 2628882823-1854249681
                                                                                                                                                                  • Opcode ID: a5ba68485a38c1d7dc27bf28a2e010da92d7f83882af55282c1ec9672914cbca
                                                                                                                                                                  • Instruction ID: a36599697f4023ba1647c38f0aef950e154c638e9f7ae6bdb9cf337964260f01
                                                                                                                                                                  • Opcode Fuzzy Hash: a5ba68485a38c1d7dc27bf28a2e010da92d7f83882af55282c1ec9672914cbca
                                                                                                                                                                  • Instruction Fuzzy Hash: 0F53CF70C042989EDF25DB64CC48BEEBBB4AF16308F1441DED44967282EB785B89CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00458520 Relevance: 106.7, APIs: 3, Strings: 57, Instructions: 1711COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                    • Part of subcall function 0040B270: CreateDirectoryA.KERNELBASE(?,00000000,00000005,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B2B5
                                                                                                                                                                    • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                    • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00459B2F
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,00000000,?), ref: 00459CDC
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,00000000,?), ref: 00459DA2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                                                  • String ID: !$=+$!$=+$!6&#$!6&#$!67 $2$!67 $2$"$"2 =$"2 =$"2 =$"2 =$$28 3$$28 3$$28 3$$28 3$$6,0$$6,0$$6,0$$6,0$%1$&<?08$&<?08$)$)$*:$*:$*:$*:$31$31$31$6<94?9$6<94?9$6<94?96<94?9$6<94?96<94?9$7+$<$7+$<$7+$<$7+$<$:' %$:' %$<290$<290$<290$<290$=>=*$=>=*$=>=*$?4=$?4=$t/$)$t/$)$w Y_$w ]p$|',!$|',!$|',!
                                                                                                                                                                  • API String ID: 453214671-2294095452
                                                                                                                                                                  • Opcode ID: 7ffdaf4037cb2d030a63199d217c015197ae860a8e502b6e60a93467012496ea
                                                                                                                                                                  • Instruction ID: 57ae14f2feaf59c3a95a653b4d20b0d10ef2dfc7cc1885f066834b7badb08a9e
                                                                                                                                                                  • Opcode Fuzzy Hash: 7ffdaf4037cb2d030a63199d217c015197ae860a8e502b6e60a93467012496ea
                                                                                                                                                                  • Instruction Fuzzy Hash: 70036B70904298DEDB25EB65C9597DEBBB4AF11308F0400DED44977292EBB81F88CF5A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00428180 Relevance: 94.4, APIs: 2, Strings: 50, Instructions: 3351COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,3E3B3C31), ref: 004282B4
                                                                                                                                                                    • Part of subcall function 0040AB40: __fread_nolock.LIBCMT ref: 0040AC3C
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042A957
                                                                                                                                                                    • Part of subcall function 004DE42B: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045DCD0,0045DCD0,?,?,004DAF37,0045DCD0,0053D744,00000000,0045DCD0,00000000,00000001), ref: 004DE48B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ExceptionFolderPathRaiseUnothrow_t@std@@@__ehfuncinfo$??2@__fread_nolock
                                                                                                                                                                  • String ID: !67 $2$!8*2$"2 =$#;,$#;,$$.(-$$.(-$$.(-$$.(-$$.(-$$28 3$$28 3$$6,0$$bd$$be$'$'$'$'$*:$/',<$/',<$/',<$/',<$1$1$1<;>$1<;>?2+$6<94?9$7+$<$7=7'$7=7'$7=7'$7=7'$9%3$:' %$<290$?2+$[$\$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 763711979-1342090246
                                                                                                                                                                  • Opcode ID: d4924dc1aa83f635cd173e36e8337de148a2d92050d0f285119bc9b0dc1bf2fd
                                                                                                                                                                  • Instruction ID: 75da0da8fc7ec44c57da9840ff1f0e32adef3685c6fae34395cd54ce1a610f13
                                                                                                                                                                  • Opcode Fuzzy Hash: d4924dc1aa83f635cd173e36e8337de148a2d92050d0f285119bc9b0dc1bf2fd
                                                                                                                                                                  • Instruction Fuzzy Hash: 1A73CD70D002A88BDB25DB68DC547EEBBB0AF15308F5441DED44967282DB786F88CF99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004564A0 Relevance: 90.6, Strings: 71, Instructions: 1823COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                  • String ID: !$=+$"!;3$"!;3$"!;3$"!;3$"!;3$"!;3$"!;3$"!;3$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$% 7+$% 7+$% 7+$%1$%1$%1$%1$%1w $&+$&+$&+$'!8$'!8$'!8$'!8$'!8$'!8$'!8$'!8$)$31$31$58*=$;615$>(r)$>(r)$>(r)$><3<8$><3<8$><3<8$><3<8$><3<8$><3<8$><3<8$><3<8$?;=$?;=$?;=$?;=$?;=$?;=$?;=$?;=$?;=*$`a$i$t/$)$t/$)$u$w $w $w %1$w %1$w w
                                                                                                                                                                  • API String ID: 325604351-255260331
                                                                                                                                                                  • Opcode ID: e556535a9cc80b20ff5b8f10c0fe63d3abeddd39d78d0eecea6124594b8e99d3
                                                                                                                                                                  • Instruction ID: b3a347ab2d5913c55b79dc2b7675eac22e4de48785ab9d64140a0416f3fdeda6
                                                                                                                                                                  • Opcode Fuzzy Hash: e556535a9cc80b20ff5b8f10c0fe63d3abeddd39d78d0eecea6124594b8e99d3
                                                                                                                                                                  • Instruction Fuzzy Hash: FB137B30C04298DADB21EBA5CD557DDBBB4AF21308F4441EED44977292EBB81F88CB56
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0044C160 Relevance: 70.2, Strings: 54, Instructions: 2710COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ""5$"6$";=w$"cjt$$$$8/*$$85<$'$)>.$*/>$,$,&$/($28$3$3/$4>($5,/8$58*=$58*=$58*=$7$7:$8$8>3$9$9#$9%<$9%<$94$99$99$9:2<$:2v7$:31$:86$;$;$;-$;2$;2xq$;5=/$;8<6$;>-4$;>-4$>$>86j$>:1778$?"5$?)$?/$?8$e$}
                                                                                                                                                                  • API String ID: 0-1917627054
                                                                                                                                                                  • Opcode ID: a3c8e956da570ee25101835e7003ff49c9b78fbf518cf9b4dba23278fd7aedad
                                                                                                                                                                  • Instruction ID: da39ab965d1940bc429dee9ee324b5140dc3135ed84ad1a1ee1fae0531cfa133
                                                                                                                                                                  • Opcode Fuzzy Hash: a3c8e956da570ee25101835e7003ff49c9b78fbf518cf9b4dba23278fd7aedad
                                                                                                                                                                  • Instruction Fuzzy Hash: 6343A0B0C006699ADF15DF68C9156EEBBB4AF15308F0442CED45437282DBB91B8ACFD6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045E5D4 Relevance: 60.0, APIs: 16, Strings: 18, Instructions: 450sleepthreadCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 13281 45e5d4-45e634 call 40ab30 call 4029f0 call 4655d0 call 40b740 call 464230 13292 45e666-45e698 call 464330 CreateThread FindCloseChangeNotification 13281->13292 13293 45e636-45e661 call 464210 call 4654b0 call 464210 call 4654b0 13281->13293 13299 45e747-45e771 call 40ab00 call 4029f0 13292->13299 13300 45e69e 13292->13300 13293->13292 13315 45e777-45e780 13299->13315 13303 45e6a0-45e6ac GetPEB 13300->13303 13304 45e6b0-45e6cf 13303->13304 13307 45e6d1-45e6d6 13304->13307 13308 45e719-45e71b 13304->13308 13307->13308 13311 45e6d8-45e6de 13307->13311 13308->13304 13314 45e6e0-45e6f3 13311->13314 13316 45e6f5-45e708 13314->13316 13317 45e712-45e717 13314->13317 13315->13315 13318 45e782-45e8d9 GetTempPathA call 40b9f0 call 409250 call 4029f0 call 469f00 call 469fa0 call 4654e0 call 402990 * 3 call 409250 call 4029f0 call 469f00 call 469fa0 call 402990 * 2 call 465290 call 40b1a0 13315->13318 13316->13316 13320 45e70a-45e710 13316->13320 13317->13308 13317->13314 13355 45e8ec-45e900 call 465290 call 40b1a0 13318->13355 13356 45e8db-45e8e9 call 40b300 13318->13356 13320->13317 13322 45e71d-45e741 Sleep 13320->13322 13322->13299 13322->13303 13363 45e914-45e931 call 465290 CreateDirectoryA 13355->13363 13364 45e902-45e911 call 40b300 13355->13364 13356->13355 13369 45e945-45e957 call 465290 CreateDirectoryA 13363->13369 13370 45e933-45e93f call 415e30 13363->13370 13364->13363 13376 45e9d3-45e9ee call 465290 GetPEB 13369->13376 13377 45e959-45e993 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 13369->13377 13370->13369 13375 460fa5-4610f8 OutputDebugStringA call 462d20 * 6 call 4655d0 call 418ee0 call 409940 call 469e70 call 465290 CreateMutexA call 402990 GetLastError 13370->13375 13425 4610fe-461170 Sleep call 40e580 call 4029f0 call 41e5f0 13375->13425 13426 4611db-461241 call 402af0 * 3 13375->13426 13386 45e9f0-45ea0f 13376->13386 13379 45e9a5-45e9a7 13377->13379 13380 45e995-45e99f 13377->13380 13383 45e9bd-45e9c0 13379->13383 13384 45e9a9 13379->13384 13380->13379 13389 45e9c8-45e9ce call 415e30 13383->13389 13384->13383 13387 45e9ab-45e9b1 13384->13387 13391 45ea11-45ea16 13386->13391 13392 45ea5c-45ea5e 13386->13392 13387->13383 13393 45e9b3-45e9b5 13387->13393 13389->13376 13391->13392 13395 45ea18-45ea21 13391->13395 13392->13375 13392->13386 13393->13389 13396 45e9b7 13393->13396 13398 45ea23-45ea36 13395->13398 13396->13383 13399 45e9b9-45e9bb 13396->13399 13401 45ea55-45ea5a 13398->13401 13402 45ea38-45ea4b 13398->13402 13399->13383 13399->13389 13401->13392 13401->13398 13402->13402 13405 45ea4d-45ea53 13402->13405 13405->13401 13440 461195-4611cc Sleep shutdown closesocket 13425->13440 13441 461172-461193 Sleep 13425->13441 13442 461243 call 403be0 13426->13442 13443 461248-461283 call 402af0 13426->13443 13440->13426 13447 4611ce-4611d0 13440->13447 13441->13440 13441->13441 13442->13443 13447->13426 13449 4611d2-4611d9 Sleep 13447->13449 13449->13449
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,0041E220,00000000,00000000,00000000), ref: 0045E684
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0045E68B
                                                                                                                                                                  • Sleep.KERNELBASE(00000001), ref: 0045E738
                                                                                                                                                                  • GetTempPathA.KERNEL32(000000FB,?,00000000), ref: 0045E78E
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 0045E927
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000,?,00000000), ref: 0045E953
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045E96A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Create$Directory$AttributesChangeCloseErrorFileFindLastNotificationPathSleepTempThreadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                  • String ID: drthdrthdrthdr hrtd hr$!?=6$3$37;7$:$:6=1$?$PnE$h$h0u$hHBT$hXCT$hhCT$hxCT$jjj$x345$>i$pi
                                                                                                                                                                  • API String ID: 2868636072-2239746989
                                                                                                                                                                  • Opcode ID: 060185c10945b35e633fe78b632396f90ace800327952daae0b24959247380db
                                                                                                                                                                  • Instruction ID: 8077588bf94c0e4bc39e93033f8a776c4edc121c9ce1f6a3b1a7cfd8669552db
                                                                                                                                                                  • Opcode Fuzzy Hash: 060185c10945b35e633fe78b632396f90ace800327952daae0b24959247380db
                                                                                                                                                                  • Instruction Fuzzy Hash: D3121470A002488BCB18EF69CC55BDEBB71AF55308F1441DEE9056B2D2EB745F48CB9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042C980 Relevance: 59.9, APIs: 1, Strings: 32, Instructions: 2164COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,3E3B2735,?,?,?,00000004), ref: 0042CAB4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                  • String ID: !6&#$$.(-$$.(-$$.(-$$bd$$be$&<?08\$'$'$'$/',<$/',<$/',<$39+$5';>$5';>39+$7=7'$7=7'$7=7'$?4=$V$\$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 1514166925-3834567515
                                                                                                                                                                  • Opcode ID: f6d095819e170645b5d619eb65eb2d2f37c51cdae5ce08f972e7f4a27304ea9d
                                                                                                                                                                  • Instruction ID: 533f620bba5b2773b9cbc6b6bd3ac26e45f2e0f23bfd5e739c1d7210883c523b
                                                                                                                                                                  • Opcode Fuzzy Hash: f6d095819e170645b5d619eb65eb2d2f37c51cdae5ce08f972e7f4a27304ea9d
                                                                                                                                                                  • Instruction Fuzzy Hash: EB23CF70D002A88BDF25DB68CD547EEBBB0AF15304F1442DEE44967282DBB85B89CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045B4B0 Relevance: 46.2, Strings: 36, Instructions: 1224COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                  • String ID: 9-4$9-4$ $!$=+$!$=+$"/,$"8* $"8* $%1$%1$&:90$&:90$'!8$'!8$)$)$12&1$12&1$7+$/29+$7+$/29+$7+$;86-2$7+$;86-2$8>.$8>.$9:.9$9:.9$<290$<290$<:7>865<$<:7>865<$>2'!17,($>2'!17,($t/$)$w ]p:;-TP$|',!$|',!
                                                                                                                                                                  • API String ID: 674977465-2093587463
                                                                                                                                                                  • Opcode ID: 98b0d257eeace487a820dd65874f182ad37eee071a1dbe34687a9023e96619b4
                                                                                                                                                                  • Instruction ID: f1ec3ed8df4f27eeeafdc384d20f3ca36f04232fc952ab87f7a7b0810dcce7f9
                                                                                                                                                                  • Opcode Fuzzy Hash: 98b0d257eeace487a820dd65874f182ad37eee071a1dbe34687a9023e96619b4
                                                                                                                                                                  • Instruction Fuzzy Hash: DAC29E708042989EDB25EB65CC557DEBBB4AF11308F0401DED44977292EBB81F88DF9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00431BE0 Relevance: 41.8, APIs: 1, Strings: 22, Instructions: 1514COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00431C6A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                  • String ID: $.(-$$.(-$$.(-$'$'$-$.:(8$/',<$/',<$/',<$7;x$7;x.:(8$7=7'$7=7'$7=7'$@$\$\$\$\$|?07$|?;2
                                                                                                                                                                  • API String ID: 1514166925-1389865942
                                                                                                                                                                  • Opcode ID: 14fb29825fe25cef5644d52a7b6c73922ed2e3d4fefc7c99748425dc69eb5ccf
                                                                                                                                                                  • Instruction ID: 4f9d6433decd39c3757a30e706ca711ed30d3895debe888d9332c55e6a9be982
                                                                                                                                                                  • Opcode Fuzzy Hash: 14fb29825fe25cef5644d52a7b6c73922ed2e3d4fefc7c99748425dc69eb5ccf
                                                                                                                                                                  • Instruction Fuzzy Hash: 08E2BE70D002588BDF24DF68CD487EEBBB1AF55308F1442DED0496B292DBB85B89CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004202AA Relevance: 40.6, Strings: 31, Instructions: 1844COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "!;3?;=$"2'&!8*=$$.(-$$.(-$$.(-$$bd$$be$'$'$'$'!8$/',<$/',<$/',<$2$7=7'$7=7'$7=7'$><3<8$><3<8$$N$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 0-1876853861
                                                                                                                                                                  • Opcode ID: efad77fb7c11f0aef965a937dd6e0eb81531518e292c7aab51d29e06fc2dd93b
                                                                                                                                                                  • Instruction ID: 23905bb18fd000cec8556e00b281b5b68f5f5e10fed6cbdd06ccf3518dd8b67d
                                                                                                                                                                  • Opcode Fuzzy Hash: efad77fb7c11f0aef965a937dd6e0eb81531518e292c7aab51d29e06fc2dd93b
                                                                                                                                                                  • Instruction Fuzzy Hash: F403E070D002A8DADF25DF68C844BEEBBB0AF15304F5441DED44967292DBB85B88CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045DDE5 Relevance: 39.0, APIs: 8, Strings: 14, Instructions: 538librarythreadloaderCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 17522 45dde5-45de36 call 403270 call 4e27cc call 4097d0 LoadLibraryA 17530 45dea7-45df06 call 416000 call 4655d0 call 40ad80 call 402980 17522->17530 17531 45de38-45de7c call 41cfb0 GetProcAddress 17522->17531 17543 45e005-45e041 call 467df0 call 5018a0 17530->17543 17544 45df0c 17530->17544 17531->17530 17536 45de7e-45de9f 17531->17536 17536->17530 17554 45e053-45e055 17543->17554 17555 45e043-45e04d 17543->17555 17546 45df10-45df28 call 465290 * 2 17544->17546 17556 45df5d-45df6c 17546->17556 17557 45df2a-45df2d 17546->17557 17558 45e057 17554->17558 17559 45e06b-45e07c 17554->17559 17555->17554 17556->17546 17562 45df6e 17556->17562 17557->17556 17561 45df2f-45df56 call 464260 call 465290 * 2 17557->17561 17558->17559 17563 45e059-45e05f 17558->17563 17560 45e082-45e0ab __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17559->17560 17564 45e0bd-45e0bf 17560->17564 17565 45e0ad-45e0b7 17560->17565 17561->17556 17586 45df58-45df5b 17561->17586 17562->17543 17563->17559 17567 45e061-45e063 17563->17567 17569 45e0d5-45e0d8 17564->17569 17570 45e0c1 17564->17570 17565->17564 17567->17560 17568 45e065 17567->17568 17568->17559 17572 45e067-45e069 17568->17572 17575 45e0e0-45e11e GetProcessId call 462310 call 4650c0 17569->17575 17570->17569 17573 45e0c3-45e0c9 17570->17573 17572->17559 17572->17560 17573->17569 17576 45e0cb-45e0cd 17573->17576 17587 45e124-45e12b call 414870 17575->17587 17588 45e25a-45e28d call 462310 call 4650c0 17575->17588 17576->17575 17579 45e0cf 17576->17579 17579->17569 17582 45e0d1-45e0d3 17579->17582 17582->17569 17582->17575 17586->17556 17589 45df73-45dff5 call 40e580 call 445f10 MessageBoxA 17586->17589 17597 45e1b1-45e1b8 call 4149b0 17587->17597 17598 45e131-45e13d GetPEB 17587->17598 17604 45e293-45e2a8 call 4149f0 call 414a80 call 414d20 17588->17604 17605 45e35a-45e38d call 462310 call 4650c0 17588->17605 17606 45dff7-45dffa 17589->17606 17607 45dfff 17589->17607 17597->17588 17611 45e1be-45e1ca GetPEB 17597->17611 17601 45e140-45e15f 17598->17601 17608 45e161-45e166 17601->17608 17609 45e1ad-45e1af 17601->17609 17647 45e2bf-45e2cb GetPEB 17604->17647 17648 45e2aa-45e2ac 17604->17648 17638 45e397-45e3c7 call 462310 call 4650c0 17605->17638 17639 45e38f-45e392 call 414ed0 17605->17639 17613 461235-461241 17606->17613 17607->17543 17608->17609 17614 45e168-45e16e 17608->17614 17609->17601 17616 45e1d0-45e1ef 17611->17616 17618 461243 call 403be0 17613->17618 17619 461248-461283 call 402af0 17613->17619 17620 45e170-45e183 17614->17620 17622 45e1f1-45e1f6 17616->17622 17623 45e239-45e23b 17616->17623 17618->17619 17626 45e185-45e198 17620->17626 17627 45e1a6-45e1ab 17620->17627 17622->17623 17630 45e1f8-45e1fe 17622->17630 17623->17616 17626->17626 17632 45e19a-45e1a0 17626->17632 17627->17609 17627->17620 17635 45e200-45e213 17630->17635 17632->17627 17637 45e23d-45e256 17632->17637 17640 45e215-45e228 17635->17640 17641 45e232-45e237 17635->17641 17637->17588 17656 45e3ce-45e43d call 462310 call 4650c0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17638->17656 17657 45e3c9 call 4176b0 17638->17657 17639->17638 17640->17640 17646 45e22a-45e230 17640->17646 17641->17623 17641->17635 17646->17637 17646->17641 17651 45e2d0-45e2ef 17647->17651 17648->17647 17650 45e2ae-45e2b0 17648->17650 17650->17647 17653 45e2b2-45e2b9 call 4148b0 17650->17653 17654 45e2f1-45e2f6 17651->17654 17655 45e339-45e33b 17651->17655 17653->17605 17653->17647 17654->17655 17659 45e2f8-45e2fe 17654->17659 17655->17651 17671 45e44f-45e451 17656->17671 17672 45e43f-45e449 17656->17672 17657->17656 17660 45e300-45e313 17659->17660 17664 45e315-45e328 17660->17664 17665 45e332-45e337 17660->17665 17664->17664 17667 45e32a-45e330 17664->17667 17665->17655 17665->17660 17667->17665 17669 45e33d-45e356 17667->17669 17669->17605 17673 45e467-45e46a 17671->17673 17674 45e453 17671->17674 17672->17671 17675 45e472-45e481 SetThreadExecutionState 17673->17675 17674->17673 17676 45e455-45e45b 17674->17676 17677 45e483-45e488 SetThreadExecutionState 17675->17677 17678 45e48a-45e4c3 call 462240 GetPEB 17675->17678 17676->17673 17679 45e45d-45e45f 17676->17679 17677->17678 17684 45e4c6-45e4e5 17678->17684 17679->17675 17681 45e461 17679->17681 17681->17673 17682 45e463-45e465 17681->17682 17682->17673 17682->17675 17685 45e534-45e536 17684->17685 17686 45e4e7-45e4ec 17684->17686 17685->17613 17685->17684 17686->17685 17687 45e4ee-45e4f4 17686->17687 17688 45e4f6-45e509 17687->17688 17689 45e52d-45e532 17688->17689 17690 45e50b 17688->17690 17689->17685 17689->17688 17691 45e510-45e523 17690->17691 17691->17691 17692 45e525-45e52b 17691->17692 17692->17689
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNELBASE(00000000), ref: 0045DE2C
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0045DE74
                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000014), ref: 0045DFEC
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045E088
                                                                                                                                                                  • GetProcessId.KERNELBASE(0000A9BE,00000000,00000000,00000003,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0045E0E5
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045E414
                                                                                                                                                                  • SetThreadExecutionState.KERNEL32(80000041), ref: 0045E47D
                                                                                                                                                                  • SetThreadExecutionState.KERNEL32(80000001), ref: 0045E488
                                                                                                                                                                    • Part of subcall function 00414ED0: CoInitializeEx.OLE32(00000000), ref: 00414F21
                                                                                                                                                                    • Part of subcall function 00414ED0: CoCreateInstance.OLE32(0051F29C,00000000,00000001,005264AC,00000000), ref: 00414F5B
                                                                                                                                                                    • Part of subcall function 00414ED0: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0041500D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateExecutionStateThreadUnothrow_t@std@@@__ehfuncinfo$??2@$AddressInitializeInstanceLibraryLoadMessageProcProcess
                                                                                                                                                                  • String ID: "#(w$%::=$&!!0$&!!0$&!!0$&!!0$&!!0$6$>70$?9?x$VW}8$gy<5$$?$^?
                                                                                                                                                                  • API String ID: 3671032131-1329971128
                                                                                                                                                                  • Opcode ID: b326a040ec13b3a0722b3792d31c4eec2e6cc7952a8ad3ba8b0fac31b3da6a70
                                                                                                                                                                  • Instruction ID: cc232912bdbecafd924210c8f3a8d0976e8c52aa9e09a0efcb575e00b7293480
                                                                                                                                                                  • Opcode Fuzzy Hash: b326a040ec13b3a0722b3792d31c4eec2e6cc7952a8ad3ba8b0fac31b3da6a70
                                                                                                                                                                  • Instruction Fuzzy Hash: 2032E274A00614CBCB28CF15C894BAEB7B1FF59309F14419ADD056B392EB74AE49CF89
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0044A8F0 Relevance: 38.1, APIs: 6, Strings: 15, Instructions: 1320COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 0044AD86
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,06111778,?,?), ref: 0044AF74
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?,?,?,?,?,?,?,161B1778,?,?), ref: 0044B176
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,10070678,?,?), ref: 0044B404
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath$AttributesErrorFileLast
                                                                                                                                                                  • String ID: $1#$175$ $ &80$ &80$ &80115?($ &80175>>.$*$:$>>.$type must be boolean, but is $z}y|${${$~s
                                                                                                                                                                  • API String ID: 133263752-2053842511
                                                                                                                                                                  • Opcode ID: 671fa70304b43e5d7022ef0ee260fc848fd2ef3ab9c9c5c3cfc9a361679a5cbf
                                                                                                                                                                  • Instruction ID: edb6fcdc740fcd203abd4a1a4372474ddc1a219639bcc899f6d1fc62923c7786
                                                                                                                                                                  • Opcode Fuzzy Hash: 671fa70304b43e5d7022ef0ee260fc848fd2ef3ab9c9c5c3cfc9a361679a5cbf
                                                                                                                                                                  • Instruction Fuzzy Hash: EEC2D070D002589AEF25DF64C858BEEBBB4AF16304F1081DED44977282EB785B89CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00440C10 Relevance: 37.7, APIs: 9, Strings: 12, Instructions: 926registryCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 18291 440c10-440c9e call 467210 call 4630b0 18296 440ca0-440cab 18291->18296 18296->18296 18297 440cad-440d1f call 46a190 call 466ee0 18296->18297 18302 440d20-440d63 call 4655d0 RegOpenKeyExA 18297->18302 18305 441d3c-441d60 call 402af0 18302->18305 18306 440d69-440da4 call 4debe0 RegEnumKeyA 18302->18306 18305->18302 18313 441d66-441d7b 18305->18313 18311 441d30-441d36 RegCloseKey 18306->18311 18312 440daa 18306->18312 18311->18305 18314 440db0-440dd0 RegOpenKeyExA 18312->18314 18315 440dd6-440e8c call 4debe0 * 5 18314->18315 18316 441cef-441d2a call 4debe0 RegEnumKeyA 18314->18316 18329 440e90-440e9b 18315->18329 18316->18311 18316->18314 18329->18329 18330 440e9d-440ec3 RegQueryValueExA 18329->18330 18331 441ce6-441ce9 RegCloseKey 18330->18331 18332 440ec9-440f42 18330->18332 18331->18316 18333 440f48-440f4d 18332->18333 18333->18333 18334 440f4f-440fbd call 402d00 call 4debe0 * 2 18333->18334 18341 440fc0-440fcb 18334->18341 18341->18341 18342 440fcd-4410ce RegQueryValueExA 18341->18342 18346 4410d0-4410de 18342->18346 18346->18346 18347 4410e0-4413b0 RegQueryValueExA 18346->18347 18352 441425-441471 call 4db500 18347->18352 18353 4413b2-4413bb 18347->18353 18358 441486-44157c call 4de4a0 call 467210 call 4dc8a2 call 4655d0 18352->18358 18359 441473-441476 18352->18359 18355 4413c0-4413c5 18353->18355 18355->18355 18357 4413c7-4413c9 18355->18357 18357->18352 18360 4413cb-4413da 18357->18360 18379 441580-44158b 18358->18379 18359->18358 18361 441478-44147c 18359->18361 18363 4413e0-4413eb 18360->18363 18364 441481-441484 18361->18364 18365 44147e-441480 18361->18365 18363->18363 18367 4413ed-4413f4 18363->18367 18364->18358 18364->18361 18365->18364 18369 4413f7-4413fc 18367->18369 18369->18369 18371 4413fe-44141d call 465330 call 41f3a0 18369->18371 18371->18352 18379->18379 18380 44158d-441599 18379->18380 18381 4415c9-4415cb 18380->18381 18382 44159b-4415c7 call 467210 18380->18382 18384 4415d1 18381->18384 18385 441d7c-441dcc call 467500 call 4029f0 call 469f00 call 408820 call 4de42b 18381->18385 18387 4415d7-4415fe 18382->18387 18384->18387 18408 441dd1-441dd6 call 4e1ea0 18385->18408 18389 441600-441605 18387->18389 18389->18389 18391 441607-44163a call 402d00 call 46d5a0 18389->18391 18401 44163c-44164b 18391->18401 18402 44166b-441744 call 466ee0 call 4dc8a2 call 4655d0 18391->18402 18404 441661-441668 call 4dcb23 18401->18404 18405 44164d-44165b 18401->18405 18418 441748-441753 18402->18418 18404->18402 18405->18404 18405->18408 18418->18418 18419 441755-44177d 18418->18419 18420 441780-441785 18419->18420 18420->18420 18421 441787-4417bb call 402d00 call 46d5a0 18420->18421 18426 4417ec-4418a4 call 466ee0 call 4dc8a2 18421->18426 18427 4417bd-4417cc 18421->18427 18436 4418a7-4418ac 18426->18436 18428 4417e2-4417e9 call 4dcb23 18427->18428 18429 4417ce-4417dc 18427->18429 18428->18426 18429->18408 18429->18428 18436->18436 18437 4418ae-4418ea call 402d00 18436->18437 18440 4418f0-4418fb 18437->18440 18440->18440 18441 4418fd-441922 18440->18441 18442 441925-44192a 18441->18442 18442->18442 18443 44192c-441960 call 402d00 call 46d5a0 18442->18443 18448 441991-441a71 call 466ee0 call 4dc8a2 call 4655d0 18443->18448 18449 441962-441971 18443->18449 18460 441a77-441a82 18448->18460 18451 441987-44198e call 4dcb23 18449->18451 18452 441973-441981 18449->18452 18451->18448 18452->18408 18452->18451 18460->18460 18461 441a84-441aac 18460->18461 18462 441ab0-441ab5 18461->18462 18462->18462 18463 441ab7-441aeb call 402d00 call 46d5a0 18462->18463 18468 441b1c-441b8f call 466ee0 18463->18468 18469 441aed-441afc 18463->18469 18476 441b90-441b9b 18468->18476 18471 441b12-441b19 call 4dcb23 18469->18471 18472 441afe-441b0c 18469->18472 18471->18468 18472->18408 18472->18471 18476->18476 18477 441b9d-441bdc call 46a190 call 462610 call 466ee0 18476->18477 18484 441c0d-441c35 18477->18484 18485 441bde-441bed 18477->18485 18486 441c66-441c8e 18484->18486 18487 441c37-441c46 18484->18487 18488 441c03-441c0a call 4dcb23 18485->18488 18489 441bef-441bfd 18485->18489 18493 441c90-441c9f 18486->18493 18494 441cbf-441cdf 18486->18494 18491 441c5c-441c63 call 4dcb23 18487->18491 18492 441c48-441c56 18487->18492 18488->18484 18489->18408 18489->18488 18491->18486 18492->18408 18492->18491 18497 441cb5-441cbc call 4dcb23 18493->18497 18498 441ca1-441caf 18493->18498 18494->18331 18497->18494 18498->18408 18498->18497
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?,00544428,?,><3<8$,?,?,?,00000000), ref: 00440D5B
                                                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00440D99
                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00000000), ref: 00440DC8
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,3C353E17,00000000,00000001,?,00000104), ref: 00440EBF
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,05151E1B,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 00440FEF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: OpenQueryValue$Enum
                                                                                                                                                                  • String ID: !$"!;3?;=$"2'&!8*=$'!8$),3/$,>.$-$:$><3<8$><3<8$$><3<8$$cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 2712010499-1536734624
                                                                                                                                                                  • Opcode ID: d5483edddbe61dc8d06b703bb21a103f4ed3c9afd3d422cfc491d4559c552cbe
                                                                                                                                                                  • Instruction ID: 2b32559d8a7d614ef5bf6fab99dc021176b483d3f751ddb0dabf5cb0ba90f989
                                                                                                                                                                  • Opcode Fuzzy Hash: d5483edddbe61dc8d06b703bb21a103f4ed3c9afd3d422cfc491d4559c552cbe
                                                                                                                                                                  • Instruction Fuzzy Hash: 2B929B70C002989FEB25CB64CC84BDEBBB4AF55304F1481DAD149A7292EB785BC9CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043CA90 Relevance: 37.1, APIs: 1, Strings: 19, Instructions: 2057COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,><3<8$,><3<8$,00000001), ref: 0043DFD9
                                                                                                                                                                    • Part of subcall function 0040AF70: GetModuleHandleA.KERNEL32(3930271C), ref: 0040AFE5
                                                                                                                                                                    • Part of subcall function 0040AF70: GetProcAddress.KERNEL32(00000000,12382700), ref: 0040AFF0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCredEnumerateHandleModuleProc
                                                                                                                                                                  • String ID: !$!8*=$"!;3?;=$"!;3?;=$"!;3?;=$"2'&!8*=$"2'&!8*=$'!8$'!8$'!8$8$8$$><3<$><3<8$><3<8$$><3<8$$><3<8$$cannot use operator[] with a string argument with $hHS
                                                                                                                                                                  • API String ID: 2949927473-1437918641
                                                                                                                                                                  • Opcode ID: a4db88ad71298e35db049359eb4ef705bdaafad226df2a2b64694961d8ebcb9f
                                                                                                                                                                  • Instruction ID: 066672279fb6fdae9836c2dcee111eee1fbb7ccffcc1ffbf2bea6a5a1071ae00
                                                                                                                                                                  • Opcode Fuzzy Hash: a4db88ad71298e35db049359eb4ef705bdaafad226df2a2b64694961d8ebcb9f
                                                                                                                                                                  • Instruction Fuzzy Hash: 4213AC70C002989FDB25DF68C894BEEBBB1AF59304F1481DED44967382DB785A89CF91
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045A490 Relevance: 35.9, Strings: 28, Instructions: 886COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 19282 45a490-45a4c2 19283 45a4c4-45a4ee 19282->19283 19284 45a4f0-45a514 19282->19284 19285 45a51a-45a552 call 4097d0 call 469d40 call 40b1a0 19283->19285 19284->19285 19292 45a575-45a586 call 4627d0 19285->19292 19293 45a554-45a568 call 40b270 19285->19293 19299 45abf0-45abf7 19292->19299 19300 45a58c-45a5ac call 46a4a0 19292->19300 19296 45a56d-45a56f 19293->19296 19296->19292 19298 45ac08-45ac0f 19296->19298 19302 45ac37-45ac61 call 4097d0 19298->19302 19304 45ac11-45ac35 call 40e5b0 19298->19304 19299->19302 19303 45abf9-45ac00 call 40b300 19299->19303 19310 45a5b0-45a5b4 19300->19310 19309 45ac66-45ac99 call 469d40 call 40b1a0 19302->19309 19311 45ac05 19303->19311 19304->19309 19327 45acbc-45accd call 4627d0 19309->19327 19328 45ac9b-45acaf call 40b270 19309->19328 19314 45abdb-45abee call 41ab40 19310->19314 19315 45a5ba-45a5c6 19310->19315 19311->19298 19314->19298 19314->19299 19318 45a5cc-45a5d5 call 4627d0 19315->19318 19319 45abcb-45abd6 call 466d00 19315->19319 19318->19319 19329 45a5db-45a5ed call 462870 call 462800 19318->19329 19319->19310 19338 45acd3-45acea call 46a4a0 19327->19338 19339 45b339-45b340 19327->19339 19334 45acb4-45acb6 19328->19334 19341 45a5f2-45a603 call 461af0 19329->19341 19334->19327 19337 45b351-45b388 call 402af0 * 2 19334->19337 19348 45acf0-45acf4 19338->19348 19339->19337 19343 45b342-45b349 call 40b300 19339->19343 19341->19319 19355 45a609-45a62e call 461c00 call 46a4a0 19341->19355 19349 45b34e 19343->19349 19352 45b327-45b337 call 41ab40 19348->19352 19353 45acfa-45ad06 19348->19353 19349->19337 19352->19337 19352->19339 19356 45b311-45b322 call 466d00 19353->19356 19357 45ad0c-45ad15 call 4627d0 19353->19357 19370 45a630-45a634 19355->19370 19356->19348 19357->19356 19367 45ad1b-45ad2d call 462870 call 462800 19357->19367 19377 45ad32-45ad43 call 461af0 19367->19377 19372 45abaf-45abc6 call 41ab40 call 461bb0 19370->19372 19373 45a63a-45a64c call 4627d0 19370->19373 19372->19341 19382 45a652-45a66f call 4655d0 19373->19382 19383 45ab9f-45abaa call 466d00 19373->19383 19377->19356 19389 45ad49-45ad6b call 461c00 call 46a4a0 19377->19389 19391 45a675-45a67f 19382->19391 19392 45a708-45a725 call 4655d0 19382->19392 19383->19370 19405 45ad70-45ad74 19389->19405 19395 45a681-45a68a 19391->19395 19402 45a7c6-45a7e3 call 4655d0 19392->19402 19403 45a72b-45a72f 19392->19403 19398 45a68c-45a699 19395->19398 19399 45a69b-45a6ed call 469e70 call 465430 call 402af0 call 40b1a0 19395->19399 19398->19395 19399->19392 19454 45a6ef-45a703 call 40b270 19399->19454 19416 45a7e5-45a818 call 409940 call 465450 19402->19416 19417 45a81d-45a846 call 40aaa0 19402->19417 19403->19402 19407 45a735-45a73f 19403->19407 19409 45b2f8-45b30c call 41ab40 call 461bb0 19405->19409 19410 45ad7a-45ad8c call 4627d0 19405->19410 19412 45a741-45a74a 19407->19412 19409->19377 19428 45b2e2-45b2f3 call 466d00 19410->19428 19429 45ad92-45adaf call 4655d0 19410->19429 19418 45a74c-45a759 19412->19418 19419 45a75b-45a7ab call 469e70 call 465430 call 402af0 call 40b1a0 19412->19419 19452 45a974-45a9b2 call 40ab00 call 4e2a50 19416->19452 19440 45a876-45a88f call 4029f0 19417->19440 19441 45a848-45a874 call 40ab30 call 469e70 19417->19441 19418->19412 19419->19402 19477 45a7ad-45a7c1 call 40b270 19419->19477 19428->19405 19450 45adb5-45adbf 19429->19450 19451 45ae48-45ae65 call 4655d0 19429->19451 19457 45a892-45a89f 19440->19457 19441->19457 19459 45adc1-45adca 19450->19459 19473 45af06-45af23 call 4655d0 19451->19473 19474 45ae6b-45ae6f 19451->19474 19484 45ab67-45ab9a call 402af0 * 3 19452->19484 19485 45a9b8-45a9cf call 462870 call 462800 19452->19485 19454->19392 19464 45a8a1-45a8aa 19457->19464 19466 45adcc-45add9 19459->19466 19467 45addb-45ae2d call 469e70 call 465430 call 402af0 call 40b1a0 19459->19467 19471 45a8ac-45a8b9 19464->19471 19472 45a8bb-45a941 call 469e70 call 46a040 call 469dd0 call 465430 call 402af0 * 3 19464->19472 19466->19459 19467->19451 19531 45ae2f-45ae43 call 40b270 19467->19531 19471->19464 19574 45a954-45a95e 19472->19574 19575 45a943-45a94f call 402af0 19472->19575 19493 45af25-45af5c call 40e700 call 465450 19473->19493 19494 45af61-45af8a call 40aaa0 19473->19494 19474->19473 19481 45ae75-45ae7f 19474->19481 19477->19402 19488 45ae81-45ae8a 19481->19488 19484->19383 19523 45a9d0-45a9e1 call 461af0 19485->19523 19495 45ae8c-45ae99 19488->19495 19496 45ae9b-45aeeb call 469e70 call 465430 call 402af0 call 40b1a0 19488->19496 19529 45b0b8-45b0f3 call 40ab00 call 4e2a50 19493->19529 19514 45afd3-45afec call 4029f0 19494->19514 19515 45af8c-45af96 19494->19515 19495->19488 19496->19473 19558 45aeed-45af01 call 40b270 19496->19558 19542 45afef-45b085 call 40ab30 call 469e70 call 46a040 call 469dd0 call 465430 call 402af0 * 3 19514->19542 19522 45af98-45afa1 19515->19522 19532 45afa3-45afb0 19522->19532 19533 45afb2-45afd1 call 469e70 19522->19533 19547 45a9e7-45aa47 call 461c00 call 4029f0 * 2 call 40aaa0 call 46a190 19523->19547 19548 45ab5e-45ab64 call 4e62d8 19523->19548 19565 45b0f9-45b10b call 462870 call 462800 19529->19565 19566 45b2aa-45b2dd call 402af0 * 3 19529->19566 19531->19451 19532->19522 19533->19542 19628 45b087-45b093 call 402af0 19542->19628 19629 45b098-45b0a2 19542->19629 19603 45aa80-45aaa4 call 409250 call 46a190 19547->19603 19604 45aa49-45aa7b call 40aaa0 call 46a190 call 470d50 19547->19604 19548->19484 19558->19473 19589 45b110-45b121 call 461af0 19565->19589 19566->19428 19582 45a971 19574->19582 19583 45a960-45a96c call 402af0 19574->19583 19575->19574 19582->19452 19583->19582 19600 45b127-45b180 call 461c00 call 4029f0 * 2 call 409220 call 46a190 19589->19600 19601 45b2a1-45b2a7 call 4e62d8 19589->19601 19647 45b1b2-45b1e0 call 40aaa0 call 46a190 19600->19647 19648 45b182-45b1ad call 409220 call 46a190 call 470d50 19600->19648 19601->19566 19624 45aaa6-45aace call 409250 call 46a190 call 470d50 19603->19624 19625 45aad3-45ab59 call 40aad0 call 402fd0 call 402af0 * 2 call 461bb0 19603->19625 19604->19603 19624->19625 19625->19523 19628->19629 19630 45b0b5 19629->19630 19631 45b0a4-45b0b0 call 402af0 19629->19631 19630->19529 19631->19630 19663 45b1e2-45b214 call 40aaa0 call 46a190 call 470d50 19647->19663 19664 45b219-45b29c call 40aad0 call 402fd0 call 402af0 * 2 call 461bb0 19647->19664 19648->19647 19663->19664 19664->19589
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                  • String ID: !$=+$!$=+$"2 =$"2 =$$28 3$$28 3$%1$%1$&+$'!8$'!8$)$)$*$6$6u(%$8;78$8;78$9115$9115$<290$<290$>($>(r)$w ]p$w ^p$|',!$|',!
                                                                                                                                                                  • API String ID: 674977465-1310367266
                                                                                                                                                                  • Opcode ID: cf79787d20b9fdde4aebdf231145ceb7cdc9beee516a7e86f7579d5da9f20a00
                                                                                                                                                                  • Instruction ID: 443d7c8e7de7a932d6356f6d7193eec45498cc015ea55a0ce504edb69b8ec486
                                                                                                                                                                  • Opcode Fuzzy Hash: cf79787d20b9fdde4aebdf231145ceb7cdc9beee516a7e86f7579d5da9f20a00
                                                                                                                                                                  • Instruction Fuzzy Hash: 8B92A170800298DEDB25DB65C9547DEBBB0AF11308F4401DED44A77292EBB81F89DF9A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004378A0 Relevance: 34.3, APIs: 4, Strings: 15, Instructions: 1023stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004379A8
                                                                                                                                                                  • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00437A51
                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,3D203202,00000000,?,00000104,?), ref: 00437B09
                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0043865B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                                                                                                                                  • String ID: $ 1$$28 3$(:$$)u53$/$0>4<$3& :0>45$3& :0>45$7$<290$E$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 1311570089-3057292652
                                                                                                                                                                  • Opcode ID: cf1d678104529869d654caef468fc70614daf93760f940c3c0adcc719c89f986
                                                                                                                                                                  • Instruction ID: ddf5894e4190de8f0e61275d0d4fb3d3b3478f7ba823619425044a5b04d8193a
                                                                                                                                                                  • Opcode Fuzzy Hash: cf1d678104529869d654caef468fc70614daf93760f940c3c0adcc719c89f986
                                                                                                                                                                  • Instruction Fuzzy Hash: 77A20570D04258DBDF24DF64C844BDEBBB4AF19308F1441DEE449A7282EB789A89CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042EB90 Relevance: 28.0, APIs: 1, Strings: 14, Instructions: 1732COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 0042EBF6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                  • String ID: #;,$#;,$#;,$0$6$6$8."9$:$=;$\$\$\$\$\$\
                                                                                                                                                                  • API String ID: 1514166925-1881394054
                                                                                                                                                                  • Opcode ID: e1dcbe92a181f29a18b6a48160ac96176308741a0d699b863ec889ea32435a16
                                                                                                                                                                  • Instruction ID: b445a2ad30d8c54ff25b387d12b59af1ff6d145f857a574eb7cb2bfe283ce7ce
                                                                                                                                                                  • Opcode Fuzzy Hash: e1dcbe92a181f29a18b6a48160ac96176308741a0d699b863ec889ea32435a16
                                                                                                                                                                  • Instruction Fuzzy Hash: CE03BE70C00298CBDB25CFA4C9547EEBBB4AF15308F5442EED44967282DBB85B88DF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045CC40 Relevance: 26.9, APIs: 10, Strings: 5, Instructions: 688COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 21172 45cc40-45cce6 call 442bc0 call 40e580 call 469d40 CreateDirectoryA 21179 45ccec-45ccf0 21172->21179 21180 45d16e-45d175 21172->21180 21181 45ccf2-45cd17 21179->21181 21182 45d66c-45d694 call 402af0 21180->21182 21183 45d17b-45d1cc call 40e580 call 469d40 CreateDirectoryA 21180->21183 21185 45d130-45d15d call 4655d0 call 40edc0 21181->21185 21186 45cd1d-45cda4 call 4655d0 * 4 21181->21186 21200 45d1d2-45d1d6 21183->21200 21201 45d65d-45d667 call 402af0 21183->21201 21185->21180 21202 45d15f-45d166 call 40b300 21185->21202 21219 45cda6-45cdaf 21186->21219 21204 45d1d8-45d1fd 21200->21204 21201->21182 21210 45d16b 21202->21210 21208 45d203-45d2dd call 4655d0 * 4 call 40ab30 call 469d40 call 469fa0 call 402af0 call 40b1a0 21204->21208 21209 45d61f-45d64c call 4655d0 call 4103c0 21204->21209 21262 45d2f7-45d301 21208->21262 21263 45d2df-45d2f1 CreateDirectoryA 21208->21263 21209->21201 21226 45d64e-45d655 call 40b300 21209->21226 21210->21180 21222 45cdb1-45cdbe 21219->21222 21223 45cdc0-45ce12 call 469d40 call 469fa0 call 402af0 call 40b1a0 21219->21223 21222->21219 21243 45ce14-45ce26 CreateDirectoryA 21223->21243 21244 45ce2c-45cea5 call 40ab30 call 469d40 call 469fa0 call 4654e0 call 402af0 * 2 call 40b1a0 21223->21244 21232 45d65a 21226->21232 21232->21201 21243->21244 21246 45d0e2-45d12b call 402af0 * 5 21243->21246 21296 45cea7-45ceb9 CreateDirectoryA 21244->21296 21297 45cebf-45cec6 21244->21297 21246->21181 21267 45d303-45d30c 21262->21267 21263->21262 21266 45d5d1-45d61a call 402af0 * 5 21263->21266 21266->21204 21270 45d31d-45d38b call 469d40 call 469fa0 call 4654e0 call 402af0 * 2 call 40b1a0 21267->21270 21271 45d30e-45d31b 21267->21271 21323 45d3a5-45d3ac 21270->21323 21324 45d38d-45d39f CreateDirectoryA 21270->21324 21271->21267 21296->21246 21296->21297 21300 45cecc-45cf32 call 40ab30 call 469d40 call 469fa0 call 402af0 call 40b1a0 21297->21300 21301 45cf6f-45cf73 21297->21301 21354 45cf34-45cf4f CreateDirectoryA 21300->21354 21355 45cf51-45cf5b call 4654b0 21300->21355 21305 45cf75-45cf9b call 4097d0 21301->21305 21306 45cf9d-45cfa1 21301->21306 21320 45cfd5-45cff1 call 4029f0 21305->21320 21308 45cfa3-45cfba call 40aaa0 21306->21308 21309 45cfbc-45cfd0 call 409250 21306->21309 21308->21320 21309->21320 21334 45cff3-45cffc 21320->21334 21327 45d470-45d474 21323->21327 21328 45d3b2-45d3bc 21323->21328 21324->21266 21324->21323 21332 45d4a7-45d4ab 21327->21332 21333 45d476-45d4a5 call 4097d0 21327->21333 21331 45d3be-45d3c7 21328->21331 21336 45d3c9-45d3d6 21331->21336 21337 45d3d8-45d433 call 469d40 call 469fa0 call 402af0 call 40b1a0 21331->21337 21339 45d4c6-45d4da call 409250 21332->21339 21340 45d4ad-45d4c4 call 40aaa0 21332->21340 21351 45d4df-45d573 call 4029f0 call 40ab30 call 469d40 call 46a040 call 4654e0 call 402af0 * 3 call 40b1a0 21333->21351 21341 45d00d-45d084 call 469d40 call 46a040 call 4654e0 call 402af0 * 3 call 40b1a0 21334->21341 21342 45cffe-45d00b 21334->21342 21336->21331 21379 45d435-45d450 CreateDirectoryA 21337->21379 21380 45d452-45d45c call 4654b0 21337->21380 21339->21351 21340->21351 21394 45d086-45d098 CreateDirectoryA 21341->21394 21395 45d09a-45d0dc call 4655d0 * 2 call 40e7b0 21341->21395 21342->21334 21408 45d575-45d587 CreateDirectoryA 21351->21408 21409 45d589-45d5cb call 4655d0 * 2 call 40e7b0 21351->21409 21354->21355 21360 45cf60-45cf6a call 402af0 21354->21360 21355->21360 21360->21301 21379->21380 21381 45d461-45d46b call 402af0 21379->21381 21380->21381 21381->21327 21394->21246 21394->21395 21395->21246 21410 45d0de 21395->21410 21408->21266 21408->21409 21409->21266 21417 45d5cd 21409->21417 21410->21246 21417->21266
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00442BC0: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00442C53
                                                                                                                                                                    • Part of subcall function 00442BC0: CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442CAF
                                                                                                                                                                    • Part of subcall function 00442BC0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442CE0
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045CCE2
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,-00000034,-0000004C), ref: 0045CE22
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,-00000034,-0000004C), ref: 0045CEB5
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,00000000,?,?,-00000034,-0000004C), ref: 0045CF4B
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,-00000034,-0000004C), ref: 0045D094
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045D1C8
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,-00000034,-0000004C), ref: 0045D2ED
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,-00000034,-0000004C), ref: 0045D39B
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,00000000,?,?,-00000034,-0000004C), ref: 0045D44C
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,-00000034,-0000004C), ref: 0045D583
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory$FolderPath
                                                                                                                                                                  • String ID: &$1>6*$:$:$:2,*
                                                                                                                                                                  • API String ID: 2162323195-767720039
                                                                                                                                                                  • Opcode ID: fb07ffd516cc63e48e0f198ad5df8fc22a19cee968f63295e4c77e99f8e61995
                                                                                                                                                                  • Instruction ID: a11f9bbd75db19bf2036a061469339dd4db8b36148c84a1e59e7a939270b7f62
                                                                                                                                                                  • Opcode Fuzzy Hash: fb07ffd516cc63e48e0f198ad5df8fc22a19cee968f63295e4c77e99f8e61995
                                                                                                                                                                  • Instruction Fuzzy Hash: E962B131D0428CDEDB20DBA4C955BDEBB74AF21308F5400AEE44677182EBB85F89DB56
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B300 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 297fileCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 21418 40b300-40b33f call 4dbdc9 21421 40b712-40b714 std::_Throw_Cpp_error 21418->21421 21422 40b345-40b34f 21418->21422 21423 40b719-40b725 std::_Throw_Cpp_error 21421->21423 21422->21423 21424 40b355-40b39e 21422->21424 21425 40b72a call 402400 21423->21425 21424->21425 21426 40b3a4-40b42f call 46daa0 call 402af0 * 2 FindFirstFileA 21424->21426 21429 40b72f-40b734 call 4e1ea0 21425->21429 21438 40b435-40b43e 21426->21438 21439 40b65a 21426->21439 21440 40b440-40b445 21438->21440 21441 40b65c-40b666 21439->21441 21440->21440 21442 40b447-40b499 21440->21442 21443 40b694-40b6b0 21441->21443 21444 40b668-40b674 21441->21444 21442->21425 21458 40b49f-40b4d1 call 46daa0 21442->21458 21445 40b6b2-40b6be 21443->21445 21446 40b6da-40b711 call 4dbdda 21443->21446 21448 40b676-40b684 21444->21448 21449 40b68a-40b691 call 4dcb23 21444->21449 21451 40b6d0-40b6d7 call 4dcb23 21445->21451 21452 40b6c0-40b6ce 21445->21452 21448->21429 21448->21449 21449->21443 21451->21446 21452->21429 21452->21451 21463 40b4d4-40b4d9 21458->21463 21463->21463 21464 40b4db-40b589 call 468210 call 402af0 * 3 21463->21464 21473 40b5a9-40b5c2 SetFileAttributesA 21464->21473 21474 40b58b-40b592 call 40b300 21464->21474 21476 40b650-40b658 GetLastError 21473->21476 21477 40b5c8-40b5dc DeleteFileA 21473->21477 21474->21473 21476->21441 21477->21476 21478 40b5de-40b5f1 FindNextFileA 21477->21478 21478->21438 21479 40b5f7-40b60b FindClose GetLastError 21478->21479 21479->21441 21480 40b60d-40b613 21479->21480 21481 40b615 21480->21481 21482 40b617-40b625 SetFileAttributesA 21480->21482 21481->21482 21483 40b632-40b636 21482->21483 21484 40b627-40b630 21482->21484 21485 40b638 21483->21485 21486 40b63a-40b643 RemoveDirectoryA 21483->21486 21484->21441 21485->21486 21486->21439 21488 40b645-40b64e 21486->21488 21488->21441
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileA.KERNELBASE(?,?,DT,?,?,?,\*.*,00000004), ref: 0040B423
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 0040B714
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 0040B725
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$FileFindFirst
                                                                                                                                                                  • String ID: \*.*$DT
                                                                                                                                                                  • API String ID: 1487763586-2523999094
                                                                                                                                                                  • Opcode ID: 30924590082df6f8f44c65e7c5fb01c90aa8068626bc23e195d49093b75cde99
                                                                                                                                                                  • Instruction ID: ac939954ec097e0f466dd701cbb477dfb9ac36ed8f0a1d488013fd253ef2818d
                                                                                                                                                                  • Opcode Fuzzy Hash: 30924590082df6f8f44c65e7c5fb01c90aa8068626bc23e195d49093b75cde99
                                                                                                                                                                  • Instruction Fuzzy Hash: FCC1CF70D00249CFDB10DFA4C8487EEBBB1FF55314F14426AE044BB292E7B45A88DB99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043C800 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 163libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 21490 43c800-43c80d 21491 43c813-43c82a 21490->21491 21492 43ca57-43ca5c 21490->21492 21493 43c830-43c83b 21491->21493 21493->21493 21494 43c83d-43c855 LoadLibraryA 21493->21494 21494->21492 21495 43c85b-43c86f 21494->21495 21496 43c873-43c87e 21495->21496 21496->21496 21497 43c880-43c8ab GetProcAddress 21496->21497 21498 43c8b1-43c8bc 21497->21498 21498->21498 21499 43c8be-43c8ed GetProcAddress 21498->21499 21500 43c8f0-43c8fb 21499->21500 21500->21500 21501 43c8fd-43c929 GetProcAddress 21500->21501 21502 43c930-43c93b 21501->21502 21502->21502 21503 43c93d-43c95f GetProcAddress 21502->21503 21504 43c963-43c96e 21503->21504 21504->21504 21505 43c970-43c99c GetProcAddress 21504->21505 21506 43c9a2-43c9ad 21505->21506 21506->21506 21507 43c9af-43c9db GetProcAddress 21506->21507 21508 43c9e1-43c9ec 21507->21508 21508->21508 21509 43c9ee-43ca0b GetProcAddress 21508->21509 21510 43ca4b-43ca51 FreeLibrary 21509->21510 21511 43ca0d-43ca14 21509->21511 21510->21492 21511->21510 21512 43ca16-43ca1d 21511->21512 21512->21510 21513 43ca1f-43ca26 21512->21513 21513->21510 21514 43ca28-43ca2f 21513->21514 21514->21510 21515 43ca31-43ca38 21514->21515 21515->21510 21516 43ca3a-43ca3c 21515->21516 21516->21510 21517 43ca3e-43ca4a 21516->21517
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNELBASE($2!9"440t?01), ref: 0043C845
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0043C890
                                                                                                                                                                  • GetProcAddress.KERNEL32(?), ref: 0043C8CC
                                                                                                                                                                  • GetProcAddress.KERNEL32(39213204), ref: 0043C90B
                                                                                                                                                                  • GetProcAddress.KERNEL32(39213204), ref: 0043C94B
                                                                                                                                                                  • GetProcAddress.KERNEL32(?), ref: 0043C97E
                                                                                                                                                                  • GetProcAddress.KERNEL32(39213204), ref: 0043C9BD
                                                                                                                                                                  • GetProcAddress.KERNEL32(39213204), ref: 0043C9FC
                                                                                                                                                                  • FreeLibrary.KERNEL32 ref: 0043CA51
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                  • String ID: $2!9"440t?01$2+$4=(
                                                                                                                                                                  • API String ID: 2449869053-1843404136
                                                                                                                                                                  • Opcode ID: f423dc4987d352ac9937d848cd9fb5e714644b23985bd1ebfd8db31034e5f883
                                                                                                                                                                  • Instruction ID: b30b69da85a4116f3a82840f577a0ae83ca26ffad3fe6e2f7a477cc7da58665a
                                                                                                                                                                  • Opcode Fuzzy Hash: f423dc4987d352ac9937d848cd9fb5e714644b23985bd1ebfd8db31034e5f883
                                                                                                                                                                  • Instruction Fuzzy Hash: 4A710270814288CAEB09CFA4E8487EEBBF8EF2A308F10406ED444BA621D375461DDF65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041E220 Relevance: 18.3, APIs: 12, Instructions: 260networksleepCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 21855 41e220-41e244 21856 41e5d8-41e5e9 21855->21856 21857 41e24a 21855->21857 21858 41e250-41e258 21857->21858 21859 41e293-41e2dc setsockopt recv WSAGetLastError 21858->21859 21860 41e25a-41e280 call 41d430 21858->21860 21859->21856 21862 41e2e2-41e2e5 21859->21862 21863 41e285-41e28d 21860->21863 21864 41e536-41e55f call 4dc299 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21862->21864 21865 41e2eb-41e2f2 21862->21865 21863->21859 21866 41e5c3-41e5d2 Sleep 21863->21866 21872 41e5bb-41e5bd Sleep 21864->21872 21873 41e561 21864->21873 21868 41e521-41e531 recv 21865->21868 21869 41e2f8-41e354 call 4680a0 recv 21865->21869 21866->21856 21866->21858 21868->21872 21877 41e35a-41e375 recv 21869->21877 21878 41e4cf-41e4dc 21869->21878 21872->21866 21875 41e563-41e569 21873->21875 21876 41e56b-41e5a3 call 41d840 21873->21876 21875->21872 21875->21876 21885 41e5a8-41e5b6 21876->21885 21877->21878 21879 41e37b-41e3b6 21877->21879 21881 41e50a-41e51c 21878->21881 21882 41e4de-41e4ea 21878->21882 21883 41e429-41e489 call 4655d0 call 41d260 call 41dc70 21879->21883 21884 41e3b8-41e3bd 21879->21884 21881->21872 21886 41e500-41e507 call 4dcb23 21882->21886 21887 41e4ec-41e4fa 21882->21887 21903 41e4b7-41e4cb 21883->21903 21904 41e48b-41e497 21883->21904 21888 41e3d3-41e3dd call 4680a0 21884->21888 21889 41e3bf-41e3d1 21884->21889 21885->21872 21886->21881 21887->21886 21890 41e5ea-41e5ef call 4e1ea0 21887->21890 21893 41e3e2-41e427 setsockopt recv 21888->21893 21889->21893 21893->21883 21903->21878 21905 41e499-41e4a7 21904->21905 21906 41e4ad-41e4af call 4dcb23 21904->21906 21905->21890 21905->21906 21908 41e4b4 21906->21908 21908->21903
                                                                                                                                                                  APIs
                                                                                                                                                                  • setsockopt.WS2_32(0000036C,0000FFFF,00001006,?,00000008), ref: 0041E2B2
                                                                                                                                                                  • recv.WS2_32(?,00000004,00000002), ref: 0041E2CD
                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 0041E2D1
                                                                                                                                                                  • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 0041E34F
                                                                                                                                                                  • recv.WS2_32(00000000,0000000C,00000008), ref: 0041E370
                                                                                                                                                                  • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 0041E40C
                                                                                                                                                                  • recv.WS2_32(00000000,?,00000008), ref: 0041E427
                                                                                                                                                                    • Part of subcall function 0041D430: WSAStartup.WS2_32 ref: 0041D45A
                                                                                                                                                                    • Part of subcall function 0041D430: getaddrinfo.WS2_32(?,?,?,00544318), ref: 0041D4DC
                                                                                                                                                                    • Part of subcall function 0041D430: socket.WS2_32(?,?,?), ref: 0041D4FD
                                                                                                                                                                    • Part of subcall function 0041D430: connect.WS2_32(00000000,?,?), ref: 0041D511
                                                                                                                                                                    • Part of subcall function 0041D430: closesocket.WS2_32(00000000), ref: 0041D51D
                                                                                                                                                                    • Part of subcall function 0041D430: freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D52A
                                                                                                                                                                    • Part of subcall function 0041D430: WSACleanup.WS2_32 ref: 0041D530
                                                                                                                                                                  • recv.WS2_32(?,00000004,00000008), ref: 0041E52F
                                                                                                                                                                  • __Xtime_get_ticks.LIBCPMT ref: 0041E536
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E544
                                                                                                                                                                  • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 0041E5BD
                                                                                                                                                                  • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 0041E5C5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4125349891-0
                                                                                                                                                                  • Opcode ID: 580c8232041fafc6c313b0223a4dc36542a08a78d0ad8692d06638b5ea451f28
                                                                                                                                                                  • Instruction ID: 445f019a92e67a07c5577944838b6ba889f153fe2f7e7f97530082f2635256d3
                                                                                                                                                                  • Opcode Fuzzy Hash: 580c8232041fafc6c313b0223a4dc36542a08a78d0ad8692d06638b5ea451f28
                                                                                                                                                                  • Instruction Fuzzy Hash: BFB1BB74D00208DFDB10DFA5DC49BDEBBB1BF55308F20421AE514AB2D2E7B85989DB85
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004224D9 Relevance: 17.4, Strings: 13, Instructions: 1131COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $#;,$$28 3$(:$$(:$$)$3& :0>45$<290$@$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 0-679915065
                                                                                                                                                                  • Opcode ID: f4ce3e09bb1f6dc4405848f6facc84ebd0473553681d84de9085b5a15f287adc
                                                                                                                                                                  • Instruction ID: bd44913ac096deb082ad73b4e6b56e58228a4cafe484209f312c39f122f53dde
                                                                                                                                                                  • Opcode Fuzzy Hash: f4ce3e09bb1f6dc4405848f6facc84ebd0473553681d84de9085b5a15f287adc
                                                                                                                                                                  • Instruction Fuzzy Hash: F0A2F170E002689BDB14DF68D9447EEBBB0BF15304F14419EE449AB382DB78AE85CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00422852 Relevance: 14.6, Strings: 11, Instructions: 811COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $ $$28 3$(:$$(:$$)$3& :0>45$<290$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 0-3638146340
                                                                                                                                                                  • Opcode ID: 64b2a237422e15c23b1dbf90addf676b975125643fa182a2141d73a306c2725e
                                                                                                                                                                  • Instruction ID: eb2dd55f6141e2d675d9ff2e9574dc4233fb147083f3686e6ff04d1ed0a00ccf
                                                                                                                                                                  • Opcode Fuzzy Hash: 64b2a237422e15c23b1dbf90addf676b975125643fa182a2141d73a306c2725e
                                                                                                                                                                  • Instruction Fuzzy Hash: AC72E270E00268DBDB24DF68D9447EEBBB0BF15304F14429ED44967382DB789A85CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C490 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 416registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040AF30: GetCurrentProcess.KERNEL32(00000000,?,?,0040C4BE), ref: 0040AF3F
                                                                                                                                                                    • Part of subcall function 0040AF30: IsWow64Process.KERNEL32(00000000,?,0040C4BE), ref: 0040AF46
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,-00020019,00000000,3B3F3D07,3B3F3D08,00000000), ref: 0040C571
                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(00000000,3D37321F,00000000,00020019,?,00000400), ref: 0040C5D1
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040C600
                                                                                                                                                                  • GetCurrentHwProfileA.ADVAPI32(?), ref: 0040C687
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CurrentProcess$CloseOpenProfileQueryValueWow64
                                                                                                                                                                  • String ID: 9 6$_$_$___
                                                                                                                                                                  • API String ID: 165412945-709806127
                                                                                                                                                                  • Opcode ID: 5cd2a4df2292861caf53cffa11f71afccab2696aa57efb9352eba9039fe28151
                                                                                                                                                                  • Instruction ID: b6e6a19ac1b1cbb26a093045ac3f8d51f6027d5e17e321542ac0e50d899cf592
                                                                                                                                                                  • Opcode Fuzzy Hash: 5cd2a4df2292861caf53cffa11f71afccab2696aa57efb9352eba9039fe28151
                                                                                                                                                                  • Instruction Fuzzy Hash: F502E370C00258DEDB15CFA4C894BEEBB74AF15308F1442AEE44577292EBB95B88CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004160B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162processlibraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(3B263619,?), ref: 00416186
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,34312111), ref: 00416191
                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004161E1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCreateHandleModuleProcProcess
                                                                                                                                                                  • String ID: 3;kk$589.$D$t?01
                                                                                                                                                                  • API String ID: 3485509086-2234503220
                                                                                                                                                                  • Opcode ID: 60fdf11987f52a907e9139c4ff7ff0b270cfe81cb3f605bd94377336c0d26766
                                                                                                                                                                  • Instruction ID: 584c3f6ed54951fa46cdd62f7e73c497529d8eb16fd8f44b13c31fb8133d280f
                                                                                                                                                                  • Opcode Fuzzy Hash: 60fdf11987f52a907e9139c4ff7ff0b270cfe81cb3f605bd94377336c0d26766
                                                                                                                                                                  • Instruction Fuzzy Hash: AE51F170E00258AFDB14CFA8CC85BEEBBB4FF44704F14419EE509AB292D778A945CB84
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00422360 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 365COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,3& :0>45,?,?,?,?), ref: 00422491
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                  • String ID: #;,$)$3& :0>45$\$cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 1514166925-1855882293
                                                                                                                                                                  • Opcode ID: 3ebb378d9fe853fa1044d13e6eee951fc921af984e79a2ceff0af9d13f019fc0
                                                                                                                                                                  • Instruction ID: 2cac8e893caf096c73f10a18816257fa98d3f374838489ee5a6c4980580f9952
                                                                                                                                                                  • Opcode Fuzzy Hash: 3ebb378d9fe853fa1044d13e6eee951fc921af984e79a2ceff0af9d13f019fc0
                                                                                                                                                                  • Instruction Fuzzy Hash: 6EF1BD70D04268DADB14DF64C955BDEBBB4BF15308F1482DEE44967282DBB81B88CF91
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406430 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 352COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004065C1
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004065FE
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004066F1
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0040673E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_fs_directory_iterator_advance@8
                                                                                                                                                                  • String ID: .
                                                                                                                                                                  • API String ID: 2610647541-248832578
                                                                                                                                                                  • Opcode ID: 8417005a20e023fd73ba9afad58ff86ec2193d77c7355dce5408bdd34dd6c1b5
                                                                                                                                                                  • Instruction ID: 0ef23cfc4c65f78b20a5b115fbe71865ac88f3790106b09d81af8426c26c804f
                                                                                                                                                                  • Opcode Fuzzy Hash: 8417005a20e023fd73ba9afad58ff86ec2193d77c7355dce5408bdd34dd6c1b5
                                                                                                                                                                  • Instruction Fuzzy Hash: 5AD1D071900616DFCB20CF58C8947AEB7B4FF48328F15466AD816A77C0D73AAD65CB84
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041FA10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 271fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0100790E,?,?,0100790E,0100790F), ref: 0041FAA5
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                  • String ID: \
                                                                                                                                                                  • API String ID: 1974802433-2967466578
                                                                                                                                                                  • Opcode ID: 5bbcc126d914579265a40fd4ca7be5a57979520a1f4ae4eeccc74d064bc25890
                                                                                                                                                                  • Instruction ID: 0eabd7acd7812341df4d8f5e7d8ba5b9313bc1fcfed4fcfaeac043b0cd9dd738
                                                                                                                                                                  • Opcode Fuzzy Hash: 5bbcc126d914579265a40fd4ca7be5a57979520a1f4ae4eeccc74d064bc25890
                                                                                                                                                                  • Instruction Fuzzy Hash: F8B1D0708002498FDF15CFA8C8587FEBBB0BF15308F14425EE455AB292D7785A8ADB94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00431430 Relevance: 8.0, Strings: 6, Instructions: 493COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                  • String ID: ' 1'865<$($-$-$P.^$n:
                                                                                                                                                                  • API String ID: 2638373210-269613232
                                                                                                                                                                  • Opcode ID: 6a59506fcf7738322d9559557d0deef2654a8dbb9e461e260b90984ace6356b8
                                                                                                                                                                  • Instruction ID: 06e47fb3e71705996d4c10820d621363cd6d4ebf6feef214284d50ab64b5b3c6
                                                                                                                                                                  • Opcode Fuzzy Hash: 6a59506fcf7738322d9559557d0deef2654a8dbb9e461e260b90984ace6356b8
                                                                                                                                                                  • Instruction Fuzzy Hash: 0722D170D00288DFDF14DFA8C9597EDBBB0AF15308F14819ED445AB382EBB85A48DB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045D9F0 Relevance: 7.7, APIs: 5, Instructions: 159sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0045DA07
                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0045DA15
                                                                                                                                                                  • Sleep.KERNELBASE(000003E9,?,?,00000000,?,?,?,?,?,?,?,?,0045DDB8), ref: 0045DACA
                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0045DAD1
                                                                                                                                                                  • Sleep.KERNELBASE(00000001,?,?,00000000,?,?,?,?,?,?,?,?,0045DDB8), ref: 0045DB87
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cursor$Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1847515627-0
                                                                                                                                                                  • Opcode ID: 1305e8b84abd8f11ed362210ed92b6921c6aed97f625362779b6103c1612edfd
                                                                                                                                                                  • Instruction ID: e8049105a74d3e0261715eac98f4d2121e3debad5535f3f1e8485cbb4cdad7bb
                                                                                                                                                                  • Opcode Fuzzy Hash: 1305e8b84abd8f11ed362210ed92b6921c6aed97f625362779b6103c1612edfd
                                                                                                                                                                  • Instruction Fuzzy Hash: 70519A31A082428FCB24CF18C4D0E6AB7E2EF89705F19499EE8859B352D735FD49CB85
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004CB3C0 Relevance: 6.9, Strings: 4, Instructions: 1918COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • min, xrefs: 004CCC6B
                                                                                                                                                                  • too many terms in compound SELECT, xrefs: 004CB666
                                                                                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 004CB6AC
                                                                                                                                                                  • max, xrefs: 004CCCCE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: max$min$only a single result allowed for a SELECT that is part of an expression$too many terms in compound SELECT
                                                                                                                                                                  • API String ID: 0-2877691265
                                                                                                                                                                  • Opcode ID: fbd03b09731f7fb73b0834140c81151357748eaef8a73ae9651058b7b71b28cb
                                                                                                                                                                  • Instruction ID: c1929985df6c20adc65602af42118a6c04867d104e31f5cdb5b9dcf57f3213a0
                                                                                                                                                                  • Opcode Fuzzy Hash: fbd03b09731f7fb73b0834140c81151357748eaef8a73ae9651058b7b71b28cb
                                                                                                                                                                  • Instruction Fuzzy Hash: 881356746047418FD724DF19C090F2ABBE1FF85308F15896EE98A8B352DB79E845CB86
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00491D10 Relevance: 6.2, APIs: 4, Instructions: 152fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,7FFFFFFD,?,00000000), ref: 00491D26
                                                                                                                                                                  • CreateFileA.KERNEL32(?,?,00000003,00000000,?,?,00000000,89005445), ref: 00491D2E
                                                                                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,?,?,?), ref: 00491E5C
                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?), ref: 00491E92
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDiskFileFreeSpace
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3321825543-0
                                                                                                                                                                  • Opcode ID: 43ba0cbec80b2fa17c53ea0a5cf93c85ec04918b9e4dfa6bcad75a6e981aae53
                                                                                                                                                                  • Instruction ID: 83f738b45ce3571a5b1a543967aa25571774c38b0d664623fa16f6a30307302f
                                                                                                                                                                  • Opcode Fuzzy Hash: 43ba0cbec80b2fa17c53ea0a5cf93c85ec04918b9e4dfa6bcad75a6e981aae53
                                                                                                                                                                  • Instruction Fuzzy Hash: DB4111716042029FDF21CF24D844BABBBE4EF80318F04467FF88582260E739D85ACB96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F636F Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004F67B4,00000000,00000000,00000000), ref: 004F6673
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InformationTimeZone
                                                                                                                                                                  • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                  • API String ID: 565725191-690618308
                                                                                                                                                                  • Opcode ID: 37dc3693d64b196c5e882212cddad6af1e0f65f0a5ddd334e881fb4f22ef6d2f
                                                                                                                                                                  • Instruction ID: 9cad27d5f2b54b569fbe64af901152f9cd98cd860f96ba3425b9b03ecf62c301
                                                                                                                                                                  • Opcode Fuzzy Hash: 37dc3693d64b196c5e882212cddad6af1e0f65f0a5ddd334e881fb4f22ef6d2f
                                                                                                                                                                  • Instruction Fuzzy Hash: 91C12672D00119ABDB14BB65DC02ABF7BB9EF04758F11406BFA01EB295E7389E01D798
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041F3EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34encryptionCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000000,000000FF), ref: 0041F3E5
                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 0041F414
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CryptDataFreeLocalUnprotect
                                                                                                                                                                  • String ID: jjjj
                                                                                                                                                                  • API String ID: 1561624719-48926182
                                                                                                                                                                  • Opcode ID: aa4404672b2df8b18a26a615dff9fcff1f65acf6459e9ad9dae77a66ff4ba265
                                                                                                                                                                  • Instruction ID: 409469ce869bb278a755ece448acb5b2db033f64c44fe4e4698fcece5c69adc3
                                                                                                                                                                  • Opcode Fuzzy Hash: aa4404672b2df8b18a26a615dff9fcff1f65acf6459e9ad9dae77a66ff4ba265
                                                                                                                                                                  • Instruction Fuzzy Hash: DDF0A7B2C4011896DF109BA49C01BEFB765FB54721F004037DC59A3340EB3948898ADA
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004DB1CB Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindClose.KERNEL32(000000FF,?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB1D7
                                                                                                                                                                  • FindFirstFileExW.KERNELBASE(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB206
                                                                                                                                                                  • GetLastError.KERNEL32(?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB218
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Find$CloseErrorFileFirstLast
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4020440971-0
                                                                                                                                                                  • Opcode ID: f1d414bdb1a830b9c19e1c1a91ab6db378ddacdc0024ae8e2650c4f043538abd
                                                                                                                                                                  • Instruction ID: 8aa795b071709f9ad919938827d4aff15d16b66e82d9f8c16838a8eaa28f277c
                                                                                                                                                                  • Opcode Fuzzy Hash: f1d414bdb1a830b9c19e1c1a91ab6db378ddacdc0024ae8e2650c4f043538abd
                                                                                                                                                                  • Instruction Fuzzy Hash: D9F05431000508FFDB111FA5DC189AF7B9CEF143B0B108627BD68C56A0D73199A296E4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00496450 Relevance: 2.0, APIs: 1, Instructions: 471COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: f47df8a979cf4f857dc537b9ef44913b95696ce48800f52ac5a31c4eb421a18d
                                                                                                                                                                  • Instruction ID: e16f3952025df4b57fbfa53020dcabc30b9a59b88706b4710c7fb5b6fa6fa324
                                                                                                                                                                  • Opcode Fuzzy Hash: f47df8a979cf4f857dc537b9ef44913b95696ce48800f52ac5a31c4eb421a18d
                                                                                                                                                                  • Instruction Fuzzy Hash: D4028EB06047019FDB64CF29C840B27BBE0AF89314F15493EE48AC7751DB78E949CB5A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00491C30 Relevance: 1.6, APIs: 1, Instructions: 110fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,7FFFFFFD,?,00000000), ref: 00491D26
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                  • Opcode ID: d5e735c4d325f6863c4bbb0d8d2f27c6b16101442465d86a64dd5004bcde936b
                                                                                                                                                                  • Instruction ID: ea3f12589498c6031ede0a0e63da1aa6e190ef39183c8d3f3956d1ebbf566a56
                                                                                                                                                                  • Opcode Fuzzy Hash: d5e735c4d325f6863c4bbb0d8d2f27c6b16101442465d86a64dd5004bcde936b
                                                                                                                                                                  • Instruction Fuzzy Hash: D531BF716043069BDB10CF29D845B9BBBE5EBC4364F144A3EF858833A0E339D905CB96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004E925D Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 0
                                                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                                                  • Opcode ID: 79f90e00dc77957be7610ff531ea09f8d3cb8def4dcd7f8d4dea2ba9a82dffaa
                                                                                                                                                                  • Instruction ID: b0f2f4a4c71a32763588803a0d4209da0bfab023c608772363e77a77a94ad2d5
                                                                                                                                                                  • Opcode Fuzzy Hash: 79f90e00dc77957be7610ff531ea09f8d3cb8def4dcd7f8d4dea2ba9a82dffaa
                                                                                                                                                                  • Instruction Fuzzy Hash: 30B1E17190468A9BCB35CF6BC4956BFB7A1AF08306F140A1FD992973C1C739AD02CB59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00490E40 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: k0K
                                                                                                                                                                  • API String ID: 0-2240500536
                                                                                                                                                                  • Opcode ID: 5f99f82bc59ae3eaf0481f485006e98992b18bd68afbdb37dbad8402f605a7b4
                                                                                                                                                                  • Instruction ID: 58ae69e5487afc1ab35260876bc7a5fe83d503e72c09194b2d23b77358996077
                                                                                                                                                                  • Opcode Fuzzy Hash: 5f99f82bc59ae3eaf0481f485006e98992b18bd68afbdb37dbad8402f605a7b4
                                                                                                                                                                  • Instruction Fuzzy Hash: 2AB16B74A016069FDB14CF6AC48065AFBF1FF49314B28C57ED8198B711E736E951CB84
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0048C560 Relevance: .7, Instructions: 663COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: aead1b18fa6655e2046488e2d56f3586447149cbf6bdb60b8fae25e10e23de9f
                                                                                                                                                                  • Instruction ID: d460b15ecaef89ee619ee12d19a6560aac0686608ff237d971a34b1c2572f41b
                                                                                                                                                                  • Opcode Fuzzy Hash: aead1b18fa6655e2046488e2d56f3586447149cbf6bdb60b8fae25e10e23de9f
                                                                                                                                                                  • Instruction Fuzzy Hash: 4342B070A006458FDB14EE78C8807AEFBA1FF45310F148A6ED4A5E7781D738E54ACBA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0048D250 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 0702e79ebe35d7f2eab4924e86644c543a8bfec9af84c7524f60a6a2cffea22b
                                                                                                                                                                  • Instruction ID: 0f76039a442bb9952bef901009f789ffb67366a02fe10e258d8ab1312df69022
                                                                                                                                                                  • Opcode Fuzzy Hash: 0702e79ebe35d7f2eab4924e86644c543a8bfec9af84c7524f60a6a2cffea22b
                                                                                                                                                                  • Instruction Fuzzy Hash: C2B19F71A057019FC720EE69C840A5BB7E1EF88324F144F2EF8AAD3790D778E9458B56
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00442BC0 Relevance: 219.9, APIs: 40, Strings: 84, Instructions: 2868fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00442C53
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442CAF
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004434EF
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443639
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044337F
                                                                                                                                                                    • Part of subcall function 0040E7B0: FindFirstFileA.KERNEL32(00000000,7F7A790F,?,7F7A790E,00445E27,00000000,7F7A790E,7F7A790F,74DF3100,?), ref: 0040E929
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442CE0
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                    • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442E08
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442E37
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00442F2F
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443029
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443087
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004431B8
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044324A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$CreateDirectory$Copy$FolderPath$AttributesErrorFindFirstLast
                                                                                                                                                                  • String ID: 1,)$ghi$! 2;$!#7)$"83<$";=w$";=w$"?=+$#9;1$$'4<$%1$%26>$&+$&2$)u$0$)u$0$)u$0$)u(%$)u6.$*$+$.$.4.<$.4.<$.4.<$0(33$0(33$0+$0>?$0>?$0>?$0>?w$0>?w$11$1<:3$1>6$2$2$2$315$315$3$$34*8$3:$3>2)$3y<8$4(r)$4>($4>($61$6:$6:$759*$759*$759*$7:$7;x$7;x$7;x$864$864$9"6-$9"6-$9"6-$9"6-$9"6-$9:$9:$9:$;26-$</$?($?($?($?)$?)/$?0$_$k$t224$w Y_[]$|';-$|76$|::<
                                                                                                                                                                  • API String ID: 3765264142-139938508
                                                                                                                                                                  • Opcode ID: 990ac86eb2dbed40e8dcdc6bd6bfd7758b5164ccb475ca9b4540de2ca0c5392f
                                                                                                                                                                  • Instruction ID: 3de45bc02bde8f5d1410f05e926e2ccc20553a8a2b94b07571620541858a5efa
                                                                                                                                                                  • Opcode Fuzzy Hash: 990ac86eb2dbed40e8dcdc6bd6bfd7758b5164ccb475ca9b4540de2ca0c5392f
                                                                                                                                                                  • Instruction Fuzzy Hash: 4C538D70C04298DADB21EB65CD557DEBB74AF21308F4441EAD449772C2EBB81B88CF96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00474AC0 Relevance: 37.6, APIs: 16, Strings: 5, Instructions: 890COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 18502 474ac0-474b24 18503 474b27-474b2e 18502->18503 18504 474b34 18503->18504 18505 475752-475831 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 18503->18505 18507 474c94-474c9a 18504->18507 18508 474dd1-474ddc call 478c10 18504->18508 18509 474c80-474c8f call 479320 18504->18509 18510 474daf-474dcf call 479180 18504->18510 18511 474d9e-474dad call 479320 18504->18511 18512 474dde-474dfb call 478fe0 18504->18512 18513 474c3c-474c5d call 4e2a67 18504->18513 18514 474b3b-474b55 call 478a70 18504->18514 18515 474bda-474bf4 call 478a70 18504->18515 18613 475839-475840 call 4dcb23 18505->18613 18521 474cfc-474d02 18507->18521 18522 474c9c-474cf7 call 467210 call 466ee0 18507->18522 18541 474e00-474e08 18508->18541 18509->18541 18510->18541 18511->18541 18512->18541 18539 475137-4751a5 call 46e550 call 469f00 call 469dd0 call 408970 call 46e550 18513->18539 18540 474c63-474c7b call 478e20 18513->18540 18549 474b57-474b5d 18514->18549 18550 474b5f-474b67 call 472c00 18514->18550 18542 474bf6-474bfc 18515->18542 18543 474bfe-474c06 call 472c00 18515->18543 18534 474d04-474d10 18521->18534 18535 474d43-474d9c call 467210 call 466ee0 18521->18535 18522->18541 18547 474d35-474d3e call 47f0a0 18534->18547 18548 474d12-474d30 call 467210 18534->18548 18535->18541 18642 475881-47589a call 4768c0 call 4de42b 18539->18642 18643 4751ab-47520c call 402af0 ___std_exception_destroy * 2 18539->18643 18540->18541 18557 475662-475666 18541->18557 18558 474e0e-474e6d call 470650 * 2 18541->18558 18555 474c0b-474c19 call 46ede0 18542->18555 18543->18555 18547->18541 18548->18541 18563 474b6c-474b7a call 46ede0 18549->18563 18550->18563 18587 474c24-474c37 call 46f190 18555->18587 18588 474c1b-474c1f 18555->18588 18570 475855-475879 call 462340 18557->18570 18598 474e6f-474e7a call 46ede0 18558->18598 18599 474e9d-474ea8 call 46ede0 18558->18599 18583 474b85-474b88 18563->18583 18584 474b7c-474b80 18563->18584 18590 474b8e-474bb1 call 4673c0 call 46ede0 18583->18590 18591 475049-47512f call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 18583->18591 18584->18541 18587->18503 18588->18541 18622 474bb7-474bc5 call 46f190 18590->18622 18623 474f14-475003 call 402f50 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 18590->18623 18591->18539 18619 474e80-474e83 18598->18619 18620 474bca-474bd5 call 46ede0 18598->18620 18614 474ec7-474ed5 call 46ede0 18599->18614 18615 474eaa-474ead 18599->18615 18635 475843-47584e 18613->18635 18652 475574-47565a call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 18614->18652 18653 474edb-474efe call 4673c0 call 46ede0 18614->18653 18628 474eb3-474ec2 call 4764b0 18615->18628 18629 475391-475475 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 18615->18629 18626 4752aa-475389 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 18619->18626 18627 474e89-474e98 call 4764b0 18619->18627 18620->18503 18622->18620 18721 475009-475018 call 402af0 18623->18721 18626->18629 18627->18541 18628->18541 18629->18721 18635->18570 18669 47520e-47521a 18643->18669 18670 47523a-475256 18643->18670 18652->18557 18693 474f04-474f07 call 46ede0 18653->18693 18694 47547a-47556c call 402f50 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 18653->18694 18674 475230-475237 call 4dcb23 18669->18674 18675 47521c-47522a 18669->18675 18678 475284-4752a5 call 402af0 18670->18678 18679 475258-475264 18670->18679 18674->18670 18675->18674 18688 47587c call 4e1ea0 18675->18688 18678->18570 18690 475266-475274 18679->18690 18691 47527a-475281 call 4dcb23 18679->18691 18688->18642 18690->18688 18690->18691 18691->18678 18710 474f0c-474f0f 18693->18710 18694->18652 18710->18503 18721->18635 18731 47501e-47502a 18721->18731 18731->18613 18733 475030-47503e 18731->18733 18733->18688 18735 475044 18733->18735 18735->18613
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00474FE3
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00474FF7
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0047510F
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00475123
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004751E0
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004751FA
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00475369
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0047537D
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00475452
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00475466
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0047554C
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00475560
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00475811
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00475825
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                  • String ID: O$array$number overflow parsing '$object$value
                                                                                                                                                                  • API String ID: 4194217158-306733086
                                                                                                                                                                  • Opcode ID: cb63a8b2e461e91bcb32e0d98c3f644b59a248b0a224de03e7edc05735470389
                                                                                                                                                                  • Instruction ID: 2b8bbb5fb6bef53096142a6844d47d0bb0a5a7ac0895a6da9de1fd59fd81eee6
                                                                                                                                                                  • Opcode Fuzzy Hash: cb63a8b2e461e91bcb32e0d98c3f644b59a248b0a224de03e7edc05735470389
                                                                                                                                                                  • Instruction Fuzzy Hash: 4192A170C00248DEDB10DFA4C944BEEBFB5BF55304F14859ED459BB282E7786A48CBA6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004103C0 Relevance: 14.7, APIs: 2, Strings: 6, Instructions: 746COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,0000005C), ref: 00410419
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00410440
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                  • String ID: $39$12*y$9%!$9>6$\$z
                                                                                                                                                                  • API String ID: 1514166925-764209152
                                                                                                                                                                  • Opcode ID: 81d9ec1db920eedd9979d0c7e50ac6c10eba50d94bcfc26e85fa224c19e26f48
                                                                                                                                                                  • Instruction ID: 59b6d6f339ba7e2f22b0134f03f68e765181b61f31e9b392b5e3c28a430878f0
                                                                                                                                                                  • Opcode Fuzzy Hash: 81d9ec1db920eedd9979d0c7e50ac6c10eba50d94bcfc26e85fa224c19e26f48
                                                                                                                                                                  • Instruction Fuzzy Hash: E772DE70C0029D9ACF25DB64CD557EEB774AF15308F0442EAD04977292EBB82B89CF96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CAC0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegGetValueA.KERNELBASE(80000002,?,34393C16,0001FFFF,00000001,?,00000104), ref: 0040CBD2
                                                                                                                                                                  • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 0040CC3C
                                                                                                                                                                  • LsaOpenPolicy.ADVAPI32(00000000,0054267C,00000001,00000000), ref: 0040CC95
                                                                                                                                                                  • LsaQueryInformationPolicy.ADVAPI32(00000000,0000000C,?), ref: 0040CCA8
                                                                                                                                                                  • LsaFreeMemory.ADVAPI32(?), ref: 0040CCD6
                                                                                                                                                                  • LsaClose.ADVAPI32(00000000), ref: 0040CCDF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                                                                                                                                                                  • String ID: %wZ$?9
                                                                                                                                                                  • API String ID: 762890658-830384695
                                                                                                                                                                  • Opcode ID: a14e4553e443ecd4be1b87ce77b34667ff650a3cf470428272776160caaff946
                                                                                                                                                                  • Instruction ID: 5c12321940df4fd8fb71f447f481a877f50f156e5d1b3200ddc0c7ffc2d86234
                                                                                                                                                                  • Opcode Fuzzy Hash: a14e4553e443ecd4be1b87ce77b34667ff650a3cf470428272776160caaff946
                                                                                                                                                                  • Instruction Fuzzy Hash: 3B612671804348DBEB11DFA4DC49BEEBBB8FF09708F00426EE545B6182E7B55689CB94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00439A80 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 119COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00439BA8
                                                                                                                                                                  • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00439C52
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderNamesPathPrivateProfileSection
                                                                                                                                                                  • String ID: )u53$0>4<$1<;>$7$?2+$TbE
                                                                                                                                                                  • API String ID: 2478605195-2592757414
                                                                                                                                                                  • Opcode ID: 1606ea9120c7d04a6346da00d7890c6e7c48432ada12fe9634ef06a45c9dc041
                                                                                                                                                                  • Instruction ID: 7174201a8848e788bf8bea569bcfc7b55b4c84013191dce98e5d5293a2ecbe93
                                                                                                                                                                  • Opcode Fuzzy Hash: 1606ea9120c7d04a6346da00d7890c6e7c48432ada12fe9634ef06a45c9dc041
                                                                                                                                                                  • Instruction Fuzzy Hash: 18519E74905398EEDB11DFA4CC45BCDBBB4AF15304F1040DAE549AB282D7B86B88CF56
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041D840 Relevance: 13.0, APIs: 4, Strings: 3, Instructions: 713libraryloadernetworkCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,00000000,00000000,00000000), ref: 0041DBB6
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,06150005), ref: 0041DBC1
                                                                                                                                                                  • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0041DBD6
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0041DEDC
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCurrentHandleModuleProcProcessSend
                                                                                                                                                                  • String ID: %1$39<$Ws2_32.dll
                                                                                                                                                                  • API String ID: 3060695839-1710563983
                                                                                                                                                                  • Opcode ID: 7e2e5bfa8d89abbe3152043b2327a7d30498876b6f1498a89903fe981372744d
                                                                                                                                                                  • Instruction ID: bb544734cddad546c251b080f02150c0b6b95f0d694eae3eeb7ddbcd143b20fb
                                                                                                                                                                  • Opcode Fuzzy Hash: 7e2e5bfa8d89abbe3152043b2327a7d30498876b6f1498a89903fe981372744d
                                                                                                                                                                  • Instruction Fuzzy Hash: EE6225B0D04288DEDF10DFA8C9557EEBFB0AF15308F24415ED4456B282E7B85A88DBD6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B1A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                  • GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                                                  • String ID: \*.*$DT$DT
                                                                                                                                                                  • API String ID: 995686243-3062393244
                                                                                                                                                                  • Opcode ID: 7c93be0e39bac07192ae234e4444476cb8469c1607e3cac452f8ce700f80683a
                                                                                                                                                                  • Instruction ID: 98fd9ba19aa43d818a037ed0b56ad2d2959cead2aa0cd36f25e414e829a489f2
                                                                                                                                                                  • Opcode Fuzzy Hash: 7c93be0e39bac07192ae234e4444476cb8469c1607e3cac452f8ce700f80683a
                                                                                                                                                                  • Instruction Fuzzy Hash: 65110371940600E7CB205BA8A809BBE3654E713728F2087BFD425B77D0D73989048ADE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041D430 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WSAStartup.WS2_32 ref: 0041D45A
                                                                                                                                                                  • getaddrinfo.WS2_32(?,?,?,00544318), ref: 0041D4DC
                                                                                                                                                                  • socket.WS2_32(?,?,?), ref: 0041D4FD
                                                                                                                                                                  • connect.WS2_32(00000000,?,?), ref: 0041D511
                                                                                                                                                                  • closesocket.WS2_32(00000000), ref: 0041D51D
                                                                                                                                                                  • freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D52A
                                                                                                                                                                  • WSACleanup.WS2_32 ref: 0041D530
                                                                                                                                                                  • freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D545
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 58224237-0
                                                                                                                                                                  • Opcode ID: 1366ad5779fb1d9e896f6c3f08975c03dc1aab9f9250e2a0f463ba84f3e17d7b
                                                                                                                                                                  • Instruction ID: 3c9476e75c3fd4fec55e94a635383449f643eb380b6605d060e559485908137f
                                                                                                                                                                  • Opcode Fuzzy Hash: 1366ad5779fb1d9e896f6c3f08975c03dc1aab9f9250e2a0f463ba84f3e17d7b
                                                                                                                                                                  • Instruction Fuzzy Hash: A431C472904710ABC7209F25DC486ABB7E5BBD4368F104B1EF8B4932A0E374A8489656
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407490 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 571COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004778C0: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00477949
                                                                                                                                                                    • Part of subcall function 004778C0: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00477991
                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?), ref: 004077C1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_fs_convert_narrow_to_wide@20$AttributesFile
                                                                                                                                                                  • String ID: $.zip$/$\$recursive_directory_iterator::recursive_directory_iterator
                                                                                                                                                                  • API String ID: 2896367778-1520678085
                                                                                                                                                                  • Opcode ID: 2fad60e87e1e802c277f3282e679dfa3b8b58277df00ea7f9a444588ff8a1a58
                                                                                                                                                                  • Instruction ID: 83cbc35ccc226e9dfc96b22cc8f0aa30fdcd4d5be8d4862c17add94487e3c136
                                                                                                                                                                  • Opcode Fuzzy Hash: 2fad60e87e1e802c277f3282e679dfa3b8b58277df00ea7f9a444588ff8a1a58
                                                                                                                                                                  • Instruction Fuzzy Hash: 55429D70D05258DFDB10DFA8C9587DEBBB0BF15308F14819DE4097B282DB785A88CB96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0046CA20 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 523COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0046CCC0
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0046CCDA
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0046D09A
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0046D0B4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                  • String ID: .$value
                                                                                                                                                                  • API String ID: 4194217158-1166439862
                                                                                                                                                                  • Opcode ID: 114bf2fada0c8a335dc6e4dc59675e49d0fca1bc34742518db17b52a0daaae50
                                                                                                                                                                  • Instruction ID: 6bb52dc470a67732b65bfa6fba687dde157c2efc00668daf5dfdc611f465addf
                                                                                                                                                                  • Opcode Fuzzy Hash: 114bf2fada0c8a335dc6e4dc59675e49d0fca1bc34742518db17b52a0daaae50
                                                                                                                                                                  • Instruction Fuzzy Hash: 09328D70D01288DEDB14CFA9C9547EEBBB1AF15304F24819EE458AB382E7785B48DF52
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F1AC4 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 712faec5eeebce6baaee8b13617faba26b3b358921950160ad50f9a09d9e58b7
                                                                                                                                                                  • Instruction ID: e1f0bbcd43b77d7626f4e77856158d48870e96d21c9a9c54683f95f8a13591de
                                                                                                                                                                  • Opcode Fuzzy Hash: 712faec5eeebce6baaee8b13617faba26b3b358921950160ad50f9a09d9e58b7
                                                                                                                                                                  • Instruction Fuzzy Hash: D5B15974E0424CEFDB11DF99D880BBE7BB1AF56304F14415AE6049B3A2C778AD42CB69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004EAC03 Relevance: 9.3, APIs: 6, Instructions: 285COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • __allrem.LIBCMT ref: 004EAD8B
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EADA7
                                                                                                                                                                  • __allrem.LIBCMT ref: 004EADBE
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EADDC
                                                                                                                                                                  • __allrem.LIBCMT ref: 004EADF3
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EAE11
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1992179935-0
                                                                                                                                                                  • Opcode ID: 71c8420f77c3c6b4205cd649fa68cc37f68444db08f8c9dfdfe450398f673b61
                                                                                                                                                                  • Instruction ID: 1b3fea5176a95fd5fcec1025af7aaf911d8005413d807e00b03de1864a21ce91
                                                                                                                                                                  • Opcode Fuzzy Hash: 71c8420f77c3c6b4205cd649fa68cc37f68444db08f8c9dfdfe450398f673b61
                                                                                                                                                                  • Instruction Fuzzy Hash: E9811672A00B469BD7209B2FCC41B6B73E9AF40366F24462FF511C6381E778ED10879A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041D560 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 244libraryloadernetworkCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D79A
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,06150005), ref: 0041D7A5
                                                                                                                                                                  • WSASend.WS2_32(0000000F,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041D7BA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressHandleModuleProcSend
                                                                                                                                                                  • String ID: 39<$Ws2_32.dll
                                                                                                                                                                  • API String ID: 2819740048-4200987404
                                                                                                                                                                  • Opcode ID: c69c04ee7ae2295ddacff926e2ae81a183a2070aca705dce49a36a733aacb347
                                                                                                                                                                  • Instruction ID: 51d12b58568d2725e11e2f3ede4e953a1ffade967b8a63a07fe4bd30ab4072ec
                                                                                                                                                                  • Opcode Fuzzy Hash: c69c04ee7ae2295ddacff926e2ae81a183a2070aca705dce49a36a733aacb347
                                                                                                                                                                  • Instruction Fuzzy Hash: C7A179B0E00214DFCB24DF58C9447AEBBF0AF18714F18855EE869AB381D779AD81CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414233 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 192fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 00414337
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00414482
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00414493
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$CopyFile
                                                                                                                                                                  • String ID: \
                                                                                                                                                                  • API String ID: 4177132511-2967466578
                                                                                                                                                                  • Opcode ID: d2dbee1534c5c85b3556dab985fa2ee1985f678c8ffbde03522007a8a5baf56b
                                                                                                                                                                  • Instruction ID: ec448d641316e2a3872437f4d92d0186c9a642a8506e38dff8007fdda78d9240
                                                                                                                                                                  • Opcode Fuzzy Hash: d2dbee1534c5c85b3556dab985fa2ee1985f678c8ffbde03522007a8a5baf56b
                                                                                                                                                                  • Instruction Fuzzy Hash: 8681FC70D00288DFDF04DBE4D945BEDBBB4EF15308F20429EE41067292EBB81A48DB96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F4C09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DeleteFileW.KERNELBASE(dN,?,004E64E1,?,?,?,00000000), ref: 004F4C11
                                                                                                                                                                  • GetLastError.KERNEL32(?,004E64E1,?,?,?,00000000), ref: 004F4C1B
                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 004F4C22
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DeleteErrorFileLast__dosmaperr
                                                                                                                                                                  • String ID: dN
                                                                                                                                                                  • API String ID: 1545401867-1959024296
                                                                                                                                                                  • Opcode ID: 5dc75ce04c15e295acdd42d31dd70232daf278466f7767e5e62d7905f0952de2
                                                                                                                                                                  • Instruction ID: 75627c7e57507863508bb374b15be04f9f819f00b988c6ee8400558b9e74fa4a
                                                                                                                                                                  • Opcode Fuzzy Hash: 5dc75ce04c15e295acdd42d31dd70232daf278466f7767e5e62d7905f0952de2
                                                                                                                                                                  • Instruction Fuzzy Hash: A3D02232000508FB8B002BF2BC0C8573B1CDFD03393100A23F42CC05A0EE35C891A250
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00491300 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0049131F
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0049132A
                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00491352
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0049135C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLast$PointerRead
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2170121939-0
                                                                                                                                                                  • Opcode ID: fc66bafa82d2f8404cdf7c252faac411a51537015cb655470ecd5fc5aba69e13
                                                                                                                                                                  • Instruction ID: 0b9ab4fa7100161e3312e7656db52f40096a583a722d5ee13f2c0e10fa81db1a
                                                                                                                                                                  • Opcode Fuzzy Hash: fc66bafa82d2f8404cdf7c252faac411a51537015cb655470ecd5fc5aba69e13
                                                                                                                                                                  • Instruction Fuzzy Hash: EA114632600509EBDB108FA9EC05BDABBA8EF55371F008267FD1CC6660E775D9609BD0
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041EBA0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 267fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0040AC70: __fread_nolock.LIBCMT ref: 0040AD44
                                                                                                                                                                  • DeleteFileA.KERNELBASE(?), ref: 0041EC07
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DeleteFile__fread_nolock
                                                                                                                                                                  • String ID: 3$cad
                                                                                                                                                                  • API String ID: 3901365830-1935378428
                                                                                                                                                                  • Opcode ID: f7301a40b307fd71562f9030343ef306315756893d55ed6466546a7cfe9cdc3f
                                                                                                                                                                  • Instruction ID: 62bbc81b036fc7eec248f0632e251a3009aed052e2521f9a115e3063f2f9f842
                                                                                                                                                                  • Opcode Fuzzy Hash: f7301a40b307fd71562f9030343ef306315756893d55ed6466546a7cfe9cdc3f
                                                                                                                                                                  • Instruction Fuzzy Hash: CCB1BE74E00249DFCB00DF65C804BEEBBB1AF45308F24819AE505AB382D779AE45DBD5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004F2053: GetConsoleOutputCP.KERNEL32(E745BA98,00000000,00000000,?), ref: 004F20B6
                                                                                                                                                                  • WriteFile.KERNELBASE(?,00000000,004E6777,?,00000000,00000000,00000000,?,00000000,?,00000000,wgN,00000000,00000000,?,?), ref: 004F2AC2
                                                                                                                                                                  • GetLastError.KERNEL32(?,004E6777,00000000,?,00000000,?,00000000,00000000), ref: 004F2ACC
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                  • String ID: wgN
                                                                                                                                                                  • API String ID: 2915228174-354891312
                                                                                                                                                                  • Opcode ID: c4e0fab56aaa5aa668606d57f16693d2fff82ef8988b3cb834d35c0f5d62a876
                                                                                                                                                                  • Instruction ID: 58ddb85c8bea4c2b3dbe3e5c994e5fd3db19d053895fb78a9c91e10694f9601d
                                                                                                                                                                  • Opcode Fuzzy Hash: c4e0fab56aaa5aa668606d57f16693d2fff82ef8988b3cb834d35c0f5d62a876
                                                                                                                                                                  • Instruction Fuzzy Hash: BB61A271D0011EAFDF11CFA8CA84EFEBBB9AF19304F14014AEA00A7255D3B9D906CB55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004060E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004DE42B: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045DCD0,0045DCD0,?,?,004DAF37,0045DCD0,0053D744,00000000,0045DCD0,00000000,00000001), ref: 004DE48B
                                                                                                                                                                  • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 004061E8
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406202
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ExceptionRaise___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
                                                                                                                                                                  • String ID: absolute
                                                                                                                                                                  • API String ID: 1297148070-2799662678
                                                                                                                                                                  • Opcode ID: 83d60d2f71de9d8f69fa5d81af5cafba3f0471d6c422f5ef9654ebbd380b6de7
                                                                                                                                                                  • Instruction ID: df52e70302dbc25e70dbc729ec55d43ed626788b5323ae355475d9aa96fec0df
                                                                                                                                                                  • Opcode Fuzzy Hash: 83d60d2f71de9d8f69fa5d81af5cafba3f0471d6c422f5ef9654ebbd380b6de7
                                                                                                                                                                  • Instruction Fuzzy Hash: 9831D071900618ABCB20EF55C945AAFBBB8FF44764F00066AE815773C1DB38AA04CBE5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AB40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                  • String ID: 1$qZC
                                                                                                                                                                  • API String ID: 2638373210-4291668569
                                                                                                                                                                  • Opcode ID: e6e22c07389a48e61ae8e95e7b83de7e9b3121829484d644dc2acc3f52427005
                                                                                                                                                                  • Instruction ID: d341f4343d4f5fdecf0593ce2782d3c7c06861483f708230bb127ce9c5082770
                                                                                                                                                                  • Opcode Fuzzy Hash: e6e22c07389a48e61ae8e95e7b83de7e9b3121829484d644dc2acc3f52427005
                                                                                                                                                                  • Instruction Fuzzy Hash: 0B31C1709043459BDB20EF69C905BAFBBF4EF44704F10066EE5416B282D7B99A48CBD6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B270 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,00000005,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B2B5
                                                                                                                                                                    • Part of subcall function 004DBDDA: ReleaseSRWLockExclusive.KERNEL32(?,DT,0040B6FD,005444E8,?,?,\*.*,00000004), ref: 004DBDEE
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 0040B2E4
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 0040B2F5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1881651058-0
                                                                                                                                                                  • Opcode ID: 4aa31760ff55f9e8091e016fbf5db6d1ac4fd96c015ccc68c759aad941cf529b
                                                                                                                                                                  • Instruction ID: 2083917a30228ff47c2f58c55b42abb2321d0377fce0ac6287103c5d37e315ef
                                                                                                                                                                  • Opcode Fuzzy Hash: 4aa31760ff55f9e8091e016fbf5db6d1ac4fd96c015ccc68c759aad941cf529b
                                                                                                                                                                  • Instruction Fuzzy Hash: E0F086B5980704EBDB209B5A9D06B9A7A98E702B38F11436FF435533D0E7755A00CAEA
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004EC819 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,004EC813,?,004E1C93,?,?,E745BA98,004E1C93,?), ref: 004EC82A
                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,004EC813,?,004E1C93,?,?,E745BA98,004E1C93,?), ref: 004EC831
                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 004EC843
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                  • Opcode ID: 570eabad1b53be2d073ee1c841cabbe5f8cdf0a80e41f99a4d5a77ab8836c315
                                                                                                                                                                  • Instruction ID: 441ef718a996dc58b5bae7a476c47dbc26188b301f5d8cdfa8241a9a43c48a8d
                                                                                                                                                                  • Opcode Fuzzy Hash: 570eabad1b53be2d073ee1c841cabbe5f8cdf0a80e41f99a4d5a77ab8836c315
                                                                                                                                                                  • Instruction Fuzzy Hash: AED05E32000544FBCF013F62DE4D8993F29BFA0347B448025B86549131DB79895AEA84
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043E990 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0043E9E1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                  • String ID: "6
                                                                                                                                                                  • API String ID: 1514166925-701612358
                                                                                                                                                                  • Opcode ID: 449d5c4dad14d35fcf056e8945d132f492ee13bef44607acf26823712170881c
                                                                                                                                                                  • Instruction ID: 7f6c3857031e9ecd41295e242b3f508b67c493e0e27127d8f4aabd3770d547c9
                                                                                                                                                                  • Opcode Fuzzy Hash: 449d5c4dad14d35fcf056e8945d132f492ee13bef44607acf26823712170881c
                                                                                                                                                                  • Instruction Fuzzy Hash: 09512970C04298CAEB15DF64C948BEDB770BF16304F1082DDD4896B2C2DBB51A89CF65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AD80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                  • String ID: 1
                                                                                                                                                                  • API String ID: 2638373210-2239968871
                                                                                                                                                                  • Opcode ID: 2f17ea8987909e3e989814b92dc302369c34d617860f511247742bdef80ca715
                                                                                                                                                                  • Instruction ID: cd64ae41dfe00b5b06abe2499f886eb89be18efc885343d0108f39dd319ff50a
                                                                                                                                                                  • Opcode Fuzzy Hash: 2f17ea8987909e3e989814b92dc302369c34d617860f511247742bdef80ca715
                                                                                                                                                                  • Instruction Fuzzy Hash: B231F570900344ABDB14EF6AC945B9F7BA8EF44718F10016EF505AB2C2D7B99A41CBD5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AC70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                  • String ID: 1
                                                                                                                                                                  • API String ID: 2638373210-2239968871
                                                                                                                                                                  • Opcode ID: 2726fe02627068cd5e911be42c1f5965b664eb0a47088c450a8276a39c1ac5fd
                                                                                                                                                                  • Instruction ID: 7c3e4a2e44c553cc6198f079d267962b1fbb4f5559f4fdaaaa07a3eeae676227
                                                                                                                                                                  • Opcode Fuzzy Hash: 2726fe02627068cd5e911be42c1f5965b664eb0a47088c450a8276a39c1ac5fd
                                                                                                                                                                  • Instruction Fuzzy Hash: 1031F470900244ABDB14EF69D945B9F7BA8FF44748F10056EF405AB2C2D7BD8A01CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F3893 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,hN,?,?,004F3219,00000001,00000364,?,00000008,000000FF,?,00000000,004EA934,004E60B3,004E68E7), ref: 004F38D4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID: hN
                                                                                                                                                                  • API String ID: 1279760036-3631290788
                                                                                                                                                                  • Opcode ID: 4b738e08c8238f13c158b6f4aebdfc83a859e181ea2e4dc4c4678612e856ec98
                                                                                                                                                                  • Instruction ID: e138f4603294848592488f8e504d332de797348aa899f191c1844a830e0ba78f
                                                                                                                                                                  • Opcode Fuzzy Hash: 4b738e08c8238f13c158b6f4aebdfc83a859e181ea2e4dc4c4678612e856ec98
                                                                                                                                                                  • Instruction Fuzzy Hash: 95F0BB3110052C67DB217F63DC05BBB37D89F517E2B154027BE08D6151CB3CD94556E9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004144E0 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00414675
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 00414686
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2134207285-0
                                                                                                                                                                  • Opcode ID: ac862eee7d6d7ce6c3a12efbee1ba40941964af439277532c0956238cae26ce1
                                                                                                                                                                  • Instruction ID: d0c1233a766ed38641b4c07237d350fd222a008ab52e14fa55b74dcab28789ba
                                                                                                                                                                  • Opcode Fuzzy Hash: ac862eee7d6d7ce6c3a12efbee1ba40941964af439277532c0956238cae26ce1
                                                                                                                                                                  • Instruction Fuzzy Hash: BB411375E00205CBCB24DF6CD8017AEB7B2FB91708F05062EE815A7392DB78A984DBD4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406150 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 004061E8
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406202
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3016148460-0
                                                                                                                                                                  • Opcode ID: 199b10b5cbcfc3bac638bdf402b44041a05770ed40428cdac618f3dde5b17595
                                                                                                                                                                  • Instruction ID: d4caf346f189b166542986bb95bd81797666f76ba9d979eef76578570dd901e2
                                                                                                                                                                  • Opcode Fuzzy Hash: 199b10b5cbcfc3bac638bdf402b44041a05770ed40428cdac618f3dde5b17595
                                                                                                                                                                  • Instruction Fuzzy Hash: 1D31D072A00618ABCB24EF49D851BAEB7B4EF84764F01066FEC1663780DB396D14CAD4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F4253 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,004FAD87,004E60B3,00000000,004E60B3,?,004FB028,004E60B3,00000007,004E60B3,?,004FB51C,004E60B3,004E60B3), ref: 004F4269
                                                                                                                                                                  • GetLastError.KERNEL32(004E60B3,?,004FAD87,004E60B3,00000000,004E60B3,?,004FB028,004E60B3,00000007,004E60B3,?,004FB51C,004E60B3,004E60B3), ref: 004F4274
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 485612231-0
                                                                                                                                                                  • Opcode ID: 8b73b785357b2346bfa9b41464cc3ad5fe5b38bc98d19c64144e2217278180d9
                                                                                                                                                                  • Instruction ID: ea2134de0cf5f8181c31f49d7920a3ecd8334c799a4adc26afd63096a676bfd3
                                                                                                                                                                  • Opcode Fuzzy Hash: 8b73b785357b2346bfa9b41464cc3ad5fe5b38bc98d19c64144e2217278180d9
                                                                                                                                                                  • Instruction Fuzzy Hash: 62E08632100614A7CB112BA5AC0C7DE3F98AF80395F028476F60C86160EA3898649798
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00473140 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004732BF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Concurrency::cancel_current_task
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 118556049-0
                                                                                                                                                                  • Opcode ID: abf0348b899f8cd4233dfb6fdb067882a70edd61fb843c06ee3e014df0a97aed
                                                                                                                                                                  • Instruction ID: aa5b3fa2fee637667061d727e0b6404d379ff605ea095809ed05f8f8f5eeafac
                                                                                                                                                                  • Opcode Fuzzy Hash: abf0348b899f8cd4233dfb6fdb067882a70edd61fb843c06ee3e014df0a97aed
                                                                                                                                                                  • Instruction Fuzzy Hash: 3851A471E001159FCB08DF69C941AEEB7F5AF98300F14816EE809E7396EB38DE058795
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004E2032 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ca496ef47f0e7f3bd31ff4d0c6dd67ba7ae3da1b984ba6e74bea7cea9b832298
                                                                                                                                                                  • Instruction ID: a945f24e44b28e743e936d21751d2e95920c4c00ec505ba9b30c130e86fbcea3
                                                                                                                                                                  • Opcode Fuzzy Hash: ca496ef47f0e7f3bd31ff4d0c6dd67ba7ae3da1b984ba6e74bea7cea9b832298
                                                                                                                                                                  • Instruction Fuzzy Hash: 6151F670A00284AFDF14CF5ACD81AAABFB5EF45315F24815AF9085B352C3B5DE41CB94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F4C31 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004F42CD: RtlAllocateHeap.NTDLL(00000000,004F9713,4D88C033,?,004F9713,00000220,?,004F2C8F,4D88C033), ref: 004F42FF
                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(00000000,00000000,?,004EF921,00000000,?,004FA453,00000000,004EF921,00000012,00000001,?,?,004EF71B,00000001,00000012), ref: 004F4C8E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                  • Opcode ID: 2e7b996dfa0404416d11db56eea4719c29d833f3cb97030e177712381e300773
                                                                                                                                                                  • Instruction ID: c197068544b6a74edd42beafa1091b609f8eeec5afa400caf0f2e88d1c1e41a9
                                                                                                                                                                  • Opcode Fuzzy Hash: 2e7b996dfa0404416d11db56eea4719c29d833f3cb97030e177712381e300773
                                                                                                                                                                  • Instruction Fuzzy Hash: BBF0FC3610219DA6C7212A23AC04F7F37589FC2775B17512BFB28962A1EF3CC80155AD
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F42CD Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,004F9713,4D88C033,?,004F9713,00000220,?,004F2C8F,4D88C033), ref: 004F42FF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                  • Opcode ID: 2198638593cbac858731316a311480fbe239b50477190752b525c17ad8c2d171
                                                                                                                                                                  • Instruction ID: 89252cde3629954a7dd651662e79814aadfa885b8aeb937b2ffe9774318fd193
                                                                                                                                                                  • Opcode Fuzzy Hash: 2198638593cbac858731316a311480fbe239b50477190752b525c17ad8c2d171
                                                                                                                                                                  • Instruction Fuzzy Hash: 23E0A02530421896D63126AA9C04BBB3A489BC23B8F160167BF0596291DF2CCC0181FE
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004EF889 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: H_prolog3
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 431132790-0
                                                                                                                                                                  • Opcode ID: 642ab808bc47696ae728f0514146959be3b190675648a466094860987fb1a248
                                                                                                                                                                  • Instruction ID: 6774f2ffb1e86b77a5a3f95ea0b65f3d51a0f57c6d64d54c353970c0c04ae7a7
                                                                                                                                                                  • Opcode Fuzzy Hash: 642ab808bc47696ae728f0514146959be3b190675648a466094860987fb1a248
                                                                                                                                                                  • Instruction Fuzzy Hash: 66E09AB6C0020DAADB00DFD5C452BEFBBFCAB08304F50412BA205E7141EA7857858BE1
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004EBBBC Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 004EBBD9
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                  • Opcode ID: 5bacf90617f034da2893445faaeab56ee3b919b783a427b181f714fcfbce91ee
                                                                                                                                                                  • Instruction ID: 68ba10a0c8402e923ab1748f6cde1fcb114169dd3f62df60daf3c7347e77fc85
                                                                                                                                                                  • Opcode Fuzzy Hash: 5bacf90617f034da2893445faaeab56ee3b919b783a427b181f714fcfbce91ee
                                                                                                                                                                  • Instruction Fuzzy Hash: 68D06C3205010DFBDF028F84DC06EDA3BAAFB88714F018000BA5856120C732E821EB90
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043CA61 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNELBASE(6C2E0000), ref: 0043CA73
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                  • Opcode ID: 1b817b431e1bcb8b8660f8d52eba7c158e344ec8198f08c13cc3c16a208e3d83
                                                                                                                                                                  • Instruction ID: c2aff94c4f18faa8c51ba634006d0e3fc72a7f72d38d24f3f513cb8b6753d3b2
                                                                                                                                                                  • Opcode Fuzzy Hash: 1b817b431e1bcb8b8660f8d52eba7c158e344ec8198f08c13cc3c16a208e3d83
                                                                                                                                                                  • Instruction Fuzzy Hash: 9EC0805844C7C19BD70283704C0C3DEFF547B37308F8800879544D5196F27CC018D611
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041E890 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E907
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                  • Opcode ID: 6ae5d539560427b4273ddbb2323bd143869bb8717069fdd20952c7c124a300a7
                                                                                                                                                                  • Instruction ID: 856fd3f3b6c9bdd6e77d2204c72a8a86155eda9e7d346db51e80ac84defc7b96
                                                                                                                                                                  • Opcode Fuzzy Hash: 6ae5d539560427b4273ddbb2323bd143869bb8717069fdd20952c7c124a300a7
                                                                                                                                                                  • Instruction Fuzzy Hash: D00120B6E44684ABD720EB599C0ABAE7B54E741B28F14024EF5141B3C1D7791844D7C6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041E930 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNELBASE(00000065,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E9A7
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                  • Opcode ID: 1dd3132a831f6b3fdc37602cddac998eaa2dfe8dc3bc418b2e161be17c3cae3a
                                                                                                                                                                  • Instruction ID: 4d51e3cdc561a834d510c8c3ef11e1b4b22122f6eac1103c18ef6d6a89a62e8d
                                                                                                                                                                  • Opcode Fuzzy Hash: 1dd3132a831f6b3fdc37602cddac998eaa2dfe8dc3bc418b2e161be17c3cae3a
                                                                                                                                                                  • Instruction Fuzzy Hash: 310120B6E54644ABD7209B599C06BEE7B64E741B28F14024EF5181B3C1D77818448BC5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041E9D0 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNELBASE(00000065,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041EA47
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2079541618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                  • Opcode ID: d6de9ebc316f42d030ed6e88b55143bd222477d6e94bd323caeb6c642de71256
                                                                                                                                                                  • Instruction ID: 8197e4f2a7925b8cf845a2034c93b7373f5ae7c38e82d9b16ca3c881090597ec
                                                                                                                                                                  • Opcode Fuzzy Hash: d6de9ebc316f42d030ed6e88b55143bd222477d6e94bd323caeb6c642de71256
                                                                                                                                                                  • Instruction Fuzzy Hash: 22017B75E44784AFD710EB49DC06BAEBBA4EB51B28F04024EF5241B7C1D7B8184487C5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%