Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ygm2mXUReY.exe

Overview

General Information

Sample name:ygm2mXUReY.exe
renamed because original name is a hash value
Original sample name:d668244429e4a7a0b205b2ce843b9663.exe
Analysis ID:1429359
MD5:d668244429e4a7a0b205b2ce843b9663
SHA1:dd8aee62f445db5649840f9ffb8cb33d304254f3
SHA256:ef09750219f549d293572aedb0f593ef6c4a74ac77bb99950ca8b5a91377ab89
Tags:32exetrojan
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ygm2mXUReY.exe (PID: 5504 cmdline: "C:\Users\user\Desktop\ygm2mXUReY.exe" MD5: D668244429E4A7A0B205B2CE843B9663)
    • schtasks.exe (PID: 6520 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 4712 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 2656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 796 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 952 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6224 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 984 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5044 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 992 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1476 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1056 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6624 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1380 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3140 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1388 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 1672 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: D668244429E4A7A0B205B2CE843B9663)
    • WerFault.exe (PID: 6204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 800 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3184 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 916 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 948 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 736 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: D668244429E4A7A0B205B2CE843B9663)
    • WerFault.exe (PID: 2924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6292 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 896 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6580 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 900 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1100 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
              • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
              Click to see the 17 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ygm2mXUReY.exe, ProcessId: 5504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

              Snort Signatures

              Timestamp:04/22/24-01:53:01.193897
              SID:2046266
              Source Port:58709
              Destination Port:49708
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:38.322767
              SID:2046269
              Source Port:49708
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:37.276261
              SID:2046269
              Source Port:49706
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:24.660719
              SID:2046266
              Source Port:58709
              Destination Port:49723
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:00.837713
              SID:2046266
              Source Port:58709
              Destination Port:49706
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:24.890079
              SID:2046267
              Source Port:58709
              Destination Port:49723
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:54.436720
              SID:2046270
              Source Port:49723
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:52:56.197489
              SID:2049060
              Source Port:49705
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:54.436720
              SID:2049661
              Source Port:49723
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:29.479123
              SID:2046269
              Source Port:49723
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:52:56.636815
              SID:2046267
              Source Port:58709
              Destination Port:49705
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:52:56.389699
              SID:2046266
              Source Port:58709
              Destination Port:49705
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:47.973422
              SID:2046269
              Source Port:49715
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:01.078051
              SID:2046267
              Source Port:58709
              Destination Port:49706
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:00.350421
              SID:2046269
              Source Port:49705
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/22/24-01:53:12.584543
              SID:2046266
              Source Port:58709
              Destination Port:49715
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: ygm2mXUReY.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://193.233.132.167/cost/lenin.exeURL Reputation: Label: malware
              Antivirus detection for dropped file
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: HEUR/AGEN.1313019
              Multi AV Scanner detection for domain / URL
              Source: http://193.233.132.167/cost/lenin.exeeproVirustotal: Detection: 24%Perma Link
              Source: http://193.233.132.167/cost/go.exeVirustotal: Detection: 24%Perma Link
              Source: http://193.233.132.167/cost/go.exeadka.exVirustotal: Detection: 24%Perma Link
              Source: http://193.233.132.167/cost/lenin.exe0Virustotal: Detection: 23%Perma Link
              Source: http://147.45.47.102:57893/hera/amadka.exeVirustotal: Detection: 18%Perma Link
              Source: http://147.45.47.102:57893/hera/amadka.exeaVirustotal: Detection: 15%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 36%
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 39%Perma Link
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 36%
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 39%Perma Link
              Multi AV Scanner detection for submitted file
              Source: ygm2mXUReY.exeVirustotal: Detection: 39%Perma Link
              Machine Learning detection for dropped file
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: ygm2mXUReY.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004D1240

              Compliance

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeUnpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
              Source: ygm2mXUReY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2
              Source: Binary string: ]C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
              Source: Binary string: C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004D0620 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004D0620
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004F2870
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,0_2_0042C82B
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_2bf57861-c4ef-4b8b-97e9-ae95bb3c92d5\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_782df4d4-a9ed-4ef0-9c2b-b94a67192a7b\

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49706
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49706
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 147.45.47.93:58709
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49715
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49715 -> 147.45.47.93:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49723
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49723
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49723 -> 147.45.47.93:58709
              Source: TrafficSnort IDS: 2049661 ET TROJAN RisePro CnC Activity (Inbound) 192.168.2.5:49723 -> 147.45.47.93:58709
              Source: TrafficSnort IDS: 2046270 ET TROJAN [ANY.RUN] RisePro TCP (Exfiltration) 192.168.2.5:49723 -> 147.45.47.93:58709
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
              Source: global trafficTCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
              Source: Joe Sandbox ViewIP Address: 172.67.75.166 172.67.75.166
              Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004D3150 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo,0_2_004D3150
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: unknownDNS traffic detected: queries for: ipinfo.io
              Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
              Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe&
              Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeA
              Source: MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exea
              Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe.52
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeadka.ex
              Source: MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeate
              Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeda1t
              Source: ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
              Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe0
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeepro
              Source: ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeoina
              Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
              Source: ygm2mXUReY.exe, 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibD
              Source: MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2178291011.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52?F
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52U
              Source: MPGPH131.exe, 00000009.00000003.2178291011.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/dx
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2178291011.0000000004326000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000442E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000445F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
              Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Content-Type:
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
              Source: MPGPH131.exe, 00000009.00000002.2589750462.00000000042C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/l
              Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/rb
              Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043AD000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.00000000042DB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000443E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
              Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52=J
              Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52a9
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000443E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52e
              Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/z=
              Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
              Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52(
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52?
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
              Source: ygm2mXUReY.exe, 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.000000000428E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.00000000043F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, SZDEAvOWuc1j5blWLO4H6aA.zip.0.dr, dxTuy4jPkMDKvqGzbwvO8nc.zip.10.drString found in binary or memory: https://t.me/RiseProSUPPORT
              Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTV
              Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTd
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.10.dr, passwords.txt.0.drString found in binary or memory: https://t.me/risepro_bot
              Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot-
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot6F
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot9
              Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botl
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot~Fxt
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/N
              Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/n
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/6)
              Source: MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/atata
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/eG
              Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004F2150 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,0_2_004F2150

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045504E0_2_0045504E
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045B0100_2_0045B010
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0049D1100_2_0049D110
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_005041A00_2_005041A0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004091BF0_2_004091BF
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0040D4680_2_0040D468
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0040E58B0_2_0040E58B
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004F66600_2_004F6660
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004CC6100_2_004CC610
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004B36B00_2_004B36B0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045A7900_2_0045A790
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004DF7900_2_004DF790
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004DB8600_2_004DB860
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0043A8BD0_2_0043A8BD
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_005069200_2_00506920
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_005209F00_2_005209F0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0054B9900_2_0054B990
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0040CA550_2_0040CA55
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_00453C300_2_00453C30
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_00506DD00_2_00506DD0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0042A0400_2_0042A040
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0044F0500_2_0044F050
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004090100_2_00409010
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004FC0A00_2_004FC0A0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004FB0A00_2_004FB0A0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_005040A00_2_005040A0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_005101400_2_00510140
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_005531700_2_00553170
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 796
              Source: ygm2mXUReY.exe, 00000000.00000003.2023742197.00000000043B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
              Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
              Source: ygm2mXUReY.exe, 00000000.00000003.2023118340.00000000043AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
              Source: ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
              Source: ygm2mXUReY.exe, 00000000.00000000.2007505852.00000000040D8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
              Source: ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
              Source: ygm2mXUReY.exeBinary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
              Source: ygm2mXUReY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/114@2/3
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess736
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1672
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5504
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCommand line argument: 1310_2_00453C30
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCommand line argument: 1310_2_00453C30
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCommand line argument: Dk43l_dwmk438*0_2_00453C30
              Source: ygm2mXUReY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: ygm2mXUReY.exe, 00000000.00000003.2212874316.000000000901F000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2211674747.0000000008E29000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220253774.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2290422412.0000000008F8F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2290821951.0000000008E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277951869.0000000008E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2275318920.0000000008E29000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2263800079.0000000008DFF000.00000004.00000020.00020000.00000000.sdmp, TMHi1BjWgM9QLogin Data.0.dr, u7JVJIshcVUFLogin Data.10.dr, D_PqPMh3t76fLogin Data.0.dr, BvIYddkfIBauLogin Data.10.dr, MRFQeKpv_Q9HLogin Data For Account.10.dr, e1b5ormmlkNOLogin Data For Account.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: ygm2mXUReY.exeVirustotal: Detection: 39%
              Source: MPGPH131.exeString found in binary or memory: ROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rqo0ZhPNJhXpCbZX4iwhntgZ3otzlgZDLr9Rw4cWO50llt0fwf/3t/Dz/sxu8AwucBCw+oPWuv7MeffgtNZPWDfX7CNVSU
              Source: MPGPH131.exeString found in binary or memory: a13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1TBljBUZtSeGqeIIGabyB8cwBTUjVEs20rKyuHwHX6O548RE8iltT+VTZlg+tVd+qZNsjAr1Wwebo4o0Uqm7NVKZuzRSGXtgpNJUYaQSRqpJNFKNhTpKS0aI5UeXEIsQS6nDEkuZC
              Source: MPGPH131.exeString found in binary or memory: CQFb4t0QHeCl3stFpWt++XwLP/MB1MA8MCfvlo8tgxZb2z/3GAkbP/Aoj8OEQvBZ6fPFYMH8Vo6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+
              Source: MPGPH131.exeString found in binary or memory: s39OjbOf7id1gtxPSPZYG1tuNmOm1S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lh
              Source: MPGPH131.exeString found in binary or memory: v+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rqo0ZhPNJhXpCbZX4iwhntgZ3otzlgZDLr9Rw4cWO50llt0fwf/3t/Dz/sxu8AwucBCw+oPWuv7MeffgtNZPWDfX7CNVSU8C93PFaSKTCRGfOwVhvm6YJ8mui7JpEDwSkHwrycH0
              Source: MPGPH131.exeString found in binary or memory: S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile read: C:\Users\user\Desktop\ygm2mXUReY.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ygm2mXUReY.exe "C:\Users\user\Desktop\ygm2mXUReY.exe"
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 796
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 952
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 984
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 992
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1056
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 800
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 772
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1380
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 896
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1388
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 900
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 916
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 912
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 948
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1100
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: msvcr100.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: ygm2mXUReY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: ]C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
              Source: Binary string: C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeUnpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeUnpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Found API chain indicative of sandbox detection
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-20082
              Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-20083
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,0_2_0045A5C0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exe TID: 3192Thread sleep count: 43 > 30Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1856Thread sleep count: 101 > 30Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1856Thread sleep count: 38 > 30Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432Thread sleep count: 101 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004D0620 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004D0620
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004F2870
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,0_2_0042C82B
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_2bf57861-c4ef-4b8b-97e9-ae95bb3c92d5\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_782df4d4-a9ed-4ef0-9c2b-b94a67192a7b\
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696428655
              Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169642865p
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r global passwords blocklistVMware20,11696428655
              Source: ygm2mXUReY.exe, 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows8ZAAAA``I
              Source: ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849:FTt_
              Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696428655
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.00000000043F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
              Source: Amcache.hve.8.drBinary or memory string: vmci.sys
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: AMC password management pageVMware20,11696428655
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000IFIER=Intel64 Family 6 Model @
              Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
              Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
              Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: MPGPH131.exeBinary or memory string: hgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEck
              Source: MPGPH131.exeBinary or memory string: uehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCE
              Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
              Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PasswordVMware20,1169642
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: discord.comVMware20,11696428655f
              Source: MPGPH131.exe, 0000000A.00000003.2089367371.0000000004458000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849m
              Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116
              Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428x
              Source: ygm2mXUReY.exe, 00000000.00000003.2044956721.00000000043C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}P
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rootpagecomVMware20,11696428655o
              Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageformVMware20,11696428655
              Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zure.comVMware20,1169642
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: MPGPH131.exe, 0000000A.00000002.2607583034.00000000044DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849
              Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware6
              Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696 T
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: Amcache.hve.8.drBinary or memory string: VMware
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: MPGPH131.exeBinary or memory string: ehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEc
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: global block list test formVMware20,11696428655
              Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}<
              Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043B1000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.00000000042DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004325000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: MPGPH131.exeBinary or memory string: CKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHu
              Source: MPGPH131.exe, 00000009.00000002.2589750462.0000000004280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&T9
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: MPGPH131.exe, 0000000A.00000003.2089367371.0000000004458000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eVMware20,11696428655
              Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169642865
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-
              Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116HQ
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: Amcache.hve.8.drBinary or memory string: VMware20,1
              Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696428655
              Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o.inVMware20,11696428655~
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116(
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: MPGPH131.exeBinary or memory string: C0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1
              Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
              Source: MPGPH131.exe, 00000009.00000002.2589750462.00000000042EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b9
              Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
              Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\cookies.sqlite
              Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comVMware20,11696428655o
              Source: MPGPH131.exe, 0000000A.00000002.2607583034.00000000044DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849T
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*H9
              Source: FsARZr9gVanTWeb Data.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWQ
              Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
              Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: MPGPH131.exe, 00000009.00000003.2092896706.00000000042F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v8
              Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000OD
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004E2080 IsDebuggerPresent,IsProcessorFeaturePresent,GetVolumeInformationA,0_2_004E2080
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045504E CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_0045504E
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045504E mov eax, dword ptr fs:[00000030h]0_2_0045504E
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045504E mov ecx, dword ptr fs:[00000030h]0_2_0045504E
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]0_2_0045A5C0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]0_2_0045A5C0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004DF790 mov ecx, dword ptr fs:[00000030h]0_2_004DF790
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_00453C30 mov eax, dword ptr fs:[00000030h]0_2_00453C30
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_00453C30 mov ecx, dword ptr fs:[00000030h]0_2_00453C30
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004FA050 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_004FA050
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_00453C30
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004DB860 GetModuleFileNameA,GetUserNameA,CopyFileA,CopyFileA,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,GetModuleFileNameA,CopyFileA,0_2_004DB860
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeCode function: 0_2_004479BE GetTimeZoneInformation,0_2_004479BE
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zip, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zip, type: DROPPED
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets8b}
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
              Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*G
              Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.jsonJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\ygm2mXUReY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Yara matchFile source: 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zip, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zip, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		2
              Software Packing              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts3
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		1
              Process Injection              		1
              DLL Side-Loading              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol2
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		1
              Masquerading              		Security Account Manager3
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Screen Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		12
              Virtualization/Sandbox Evasion              		NTDS23
              System Information Discovery              		Distributed Component Object Model1
              Email Collection              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Process Injection              		LSA Secrets1
              Query Registry              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials261
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
              System Network Configuration Discovery              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429359 Sample: ygm2mXUReY.exe Startdate: 22/04/2024 Architecture: WINDOWS Score: 100 47 ipinfo.io 2->47 49 db-ip.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 7 other signatures 2->63 8 ygm2mXUReY.exe 1 63 2->8         started        13 MPGPH131.exe 51 2->13         started        15 MPGPH131.exe 2->15         started        signatures3 process4 dnsIp5 51 147.45.47.93, 49705, 49706, 49708 FREE-NET-ASFREEnetEU Russian Federation 8->51 53 ipinfo.io 34.117.186.192, 443, 49707, 49710 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->53 55 db-ip.com 172.67.75.166, 443, 49709, 49712 CLOUDFLARENETUS United States 8->55 39 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->39 dropped 41 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->41 dropped 43 C:\Users\user\...\SZDEAvOWuc1j5blWLO4H6aA.zip, Zip 8->43 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Detected unpacking (overwrites its own PE header) 8->67 69 Tries to steal Mail credentials (via file / registry access) 8->69 79 4 other signatures 8->79 17 schtasks.exe 1 8->17         started        19 schtasks.exe 1 8->19         started        21 WerFault.exe 19 16 8->21         started        29 6 other processes 8->29 71 Antivirus detection for dropped file 13->71 73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 23 WerFault.exe 13->23         started        31 3 other processes 13->31 45 C:\Users\user\...\dxTuy4jPkMDKvqGzbwvO8nc.zip, Zip 15->45 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 15->77 25 WerFault.exe 15->25         started        27 WerFault.exe 15->27         started        33 3 other processes 15->33 file6 signatures7 process8 process9 35 conhost.exe 17->35         started        37 conhost.exe 19->37         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ygm2mXUReY.exe39%VirustotalBrowse
              ygm2mXUReY.exe100%AviraHEUR/AGEN.1313019
              ygm2mXUReY.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraHEUR/AGEN.1313019
              C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
              C:\ProgramData\MPGPH131\MPGPH131.exe37%ReversingLabs
              C:\ProgramData\MPGPH131\MPGPH131.exe39%VirustotalBrowse
              C:\Users\user\AppData\Local\RageMP131\RageMP131.exe37%ReversingLabs
              C:\Users\user\AppData\Local\RageMP131\RageMP131.exe39%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://193.233.132.167/cost/lenin.exe100%URL Reputationmalware
              http://193.233.132.167/cost/lenin.exeepro25%VirustotalBrowse
              http://193.233.132.167/cost/go.exe25%VirustotalBrowse
              http://193.233.132.167/cost/go.exeadka.ex25%VirustotalBrowse
              http://193.233.132.167/cost/lenin.exe024%VirustotalBrowse
              http://147.45.47.102:57893/hera/amadka.exe18%VirustotalBrowse
              http://147.45.47.102:57893/hera/amadka.exea15%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ipinfo.io
              		34.117.186.192
              		truefalse
                		high
                db-ip.com
                		172.67.75.166
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://ipinfo.io/widget/demo/81.181.57.52false
                    		high
                    https://db-ip.com/demo/home.php?s=81.181.57.52false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                        		high
                        https://duckduckgo.com/ac/?q=ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                          		high
                          http://193.233.132.167/cost/lenin.exeeproMPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          http://193.233.132.167/cost/go.exeadka.exMPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          http://147.45.47.102:57893/hera/amadka.exeygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://db-ip.com/ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2178291011.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://147.45.47.102:57893/hera/amadka.exe&ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                                		high
                                https://t.me/RiseProSUPPORTdMPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://t.me/risepro_bot~Fxtygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://ipinfo.io/Content-Type:ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      http://193.233.132.167/cost/go.exe.52ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://193.233.132.167/cost/go.exeygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        https://ipinfo.io/widget/demo/81.181.57.52eMPGPH131.exe, 0000000A.00000002.2607017449.000000000443E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://t.me/risepro_bot-MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://t.me/RiseProSUPPORTVMPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://db-ip.com/dxMPGPH131.exe, 00000009.00000003.2178291011.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ipinfo.io:443/widget/demo/81.181.57.52ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://db-ip.com/demo/home.php?s=81.181.57.52UMPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                                                      		high
                                                      https://ipinfo.io/lMPGPH131.exe, 00000009.00000002.2589750462.00000000042C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://193.233.132.167/cost/lenin.exeygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • URL Reputation: malware
                                                        		unknown
                                                        https://t.me/risepro_bot9MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://t.me/risepro_botriseproygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://193.233.132.167/cost/lenin.exe0MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                            https://db-ip.com:443/demo/home.php?s=81.181.57.52ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2178291011.0000000004326000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ipinfo.io:443/widget/demo/81.181.57.52(MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.winimage.com/zLibDygm2mXUReY.exe, 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://db-ip.com/demo/home.php?s=81.181.57.52?Fygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://193.233.132.167/cost/go.exeda1tygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                                                                        		high
                                                                        http://193.233.132.167/cost/go.exeateMPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                                                                            		high
                                                                            https://ipinfo.io/widget/demo/81.181.57.52=Jygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://upx.sf.netAmcache.hve.8.drfalse
                                                                                		high
                                                                                https://t.me/RiseProSUPPORTygm2mXUReY.exe, 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.000000000428E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.00000000043F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, SZDEAvOWuc1j5blWLO4H6aA.zip.0.dr, dxTuy4jPkMDKvqGzbwvO8nc.zip.10.drfalse
                                                                                  		high
                                                                                  https://t.me/risepro_bot6Fygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.ecosia.org/newtab/ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                                                                                      		high
                                                                                      https://ipinfo.io/Mozilla/5.0ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
                                                                                          		high
                                                                                          https://ipinfo.io/z=ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004393000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://147.45.47.102:57893/hera/amadka.exeaMPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                            https://ac.ecosia.org/autocomplete?q=ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                                                                                              		high
                                                                                              https://t.me/risepro_botMPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.10.dr, passwords.txt.0.drfalse
                                                                                                		high
                                                                                                https://t.me/risepro_botlMPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://ipinfo.io/MPGPH131.exe, 0000000A.00000002.2607017449.000000000442E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000445F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://ipinfo.io/widget/demo/81.181.57.52a9MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.maxmind.com/en/locate-my-ip-addressygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://193.233.132.167/cost/lenin.exeoinaygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLD87fZN3R3jFeplaces.sqlite.0.drfalse
                                                                                                            		high
                                                                                                            http://www.winimage.com/zLibDllMPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
                                                                                                                		high
                                                                                                                https://ipinfo.io/rbygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.drfalse
                                                                                                                    		high
                                                                                                                    https://ipinfo.io:443/widget/demo/81.181.57.52?MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://147.45.47.102:57893/hera/amadka.exeAMPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        34.117.186.192
                                                                                                                        		ipinfo.ioUnited States
                                                                                                                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                        147.45.47.93
                                                                                                                        		unknownRussian Federation
                                                                                                                        		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                        172.67.75.166
                                                                                                                        		db-ip.comUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                        Analysis ID:1429359
                                                                                                                        Start date and time:2024-04-22 01:52:04 +02:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 10m 39s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                        Number of analysed new started processes analysed:42
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:0
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Sample name:ygm2mXUReY.exe
                                                                                                                        renamed because original name is a hash value
                                                                                                                        Original Sample Name:d668244429e4a7a0b205b2ce843b9663.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@24/114@2/3
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 50%
                                                                                                                        HCA Information:
                                                                                                                        • Successful, ratio: 56%
                                                                                                                        • Number of executed functions: 84
                                                                                                                        • Number of non-executed functions: 17
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                        Warnings

                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                        • Execution Graph export aborted for target MPGPH131.exe, PID 1672 because there are no executed function
                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        01:52:53Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                        01:52:54Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                        01:52:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                        01:53:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • ipinfo.io/json
                                                                                                                        SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • ipinfo.io/json
                                                                                                                        Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                                                                        • ipinfo.io/ip
                                                                                                                        Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                        • ipinfo.io/
                                                                                                                        Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                        • ipinfo.io/
                                                                                                                        w.shGet hashmaliciousXmrigBrowse
                                                                                                                        • /ip
                                                                                                                        Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                        • ipinfo.io/ip
                                                                                                                        Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                        • ipinfo.io/ip
                                                                                                                        uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                                                                        • ipinfo.io/ip
                                                                                                                        8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                                                                        • ipinfo.io/ip
                                                                                                                        147.45.47.93file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                            qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                              s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                  SecuriteInfo.com.Win64.Evo-gen.32634.31069.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                                                    UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                      tA6etkt3gb.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                        file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                          dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                            172.67.75.166file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                              s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                  TANQUIVUIA.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                    oZ8kX4OA5q.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                      S2ruRfajig.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                        WARYTtjh4l.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                          fzrGl94EQ2.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                            SeR6QESSMe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                              z21FdylQJD.exeGet hashmaliciousRisePro StealerBrowse

                                                                                                                                                                Domains

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                ipinfo.iofile.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                Dj43d18ukx.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                UnderWars.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                UnderWars.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                db-ip.comfile.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.4.15
                                                                                                                                                                s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 104.26.4.15

                                                                                                                                                                ASNs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                Dj43d18ukx.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                UnderWars.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                UnderWars.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                CLOUDFLARENETUShttps://ozluc01lyejozbbzmr.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.21.53.38
                                                                                                                                                                http://outlookaccount.rf.gd/?i=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.20.95.138
                                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 104.26.5.15
                                                                                                                                                                https://shiny-haze-e3f9.oriental-chef-hrg9939.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                • 104.17.25.14
                                                                                                                                                                https://pub-a7051849f97e40258b2898070eea69ef.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                • 104.18.3.35
                                                                                                                                                                https://yxv.ens.mybluehost.me/Ca/net/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 162.247.243.29
                                                                                                                                                                https://yzkgxjyz0y4417anol.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                                                                                                                                • 172.66.45.32
                                                                                                                                                                https://pub-ad26986ae16e4366a1d34c587ca0df93.r2.dev/megme.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                • 104.17.25.14
                                                                                                                                                                https://topwingroups.top/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.21.19.92
                                                                                                                                                                FREE-NET-ASFREEnetEUfile.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 147.45.47.93
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 193.233.132.175
                                                                                                                                                                2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                                • 193.233.132.253
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 193.233.132.175
                                                                                                                                                                SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 193.233.132.226
                                                                                                                                                                SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 193.233.132.226
                                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 147.45.47.93
                                                                                                                                                                jNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                • 193.233.132.175
                                                                                                                                                                74fa486WVX.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                • 193.233.132.234
                                                                                                                                                                qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                • 193.233.132.226

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                https://yxv.ens.mybluehost.me/Ca/net/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                Pictures.com.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                2FjvjcayaH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                qrLdMv1QXG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                PASS-1234.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166
                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                • 34.117.186.192
                                                                                                                                                                • 172.67.75.166

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):997888
                                                                                                                                                                Entropy (8bit):7.765309926729777
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:opsnpECte4yQyGPLUXotoVeJVUXuJlt+ZPZzR4:opspbe3GPwZVeIeJlt+ZxzR
                                                                                                                                                                MD5:D668244429E4A7A0B205B2CE843B9663
                                                                                                                                                                SHA1:DD8AEE62F445DB5649840F9FFB8CB33D304254F3
                                                                                                                                                                SHA-256:EF09750219F549D293572AEDB0F593EF6C4A74AC77BB99950CA8B5A91377AB89
                                                                                                                                                                SHA-512:998A0CD29C6ED6B9D922E2A5706A0B9F661F4C9EC2D8F30EF942BBC69D42C8D30938297D81123C6F2B312F5F09E81E08BBC38B944A563E4D0B7B17BD28DB2438
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 37%
                                                                                                                                                                • Antivirus: Virustotal, Detection: 39%, Browse
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....|...|...|.......|.....z.|.....*.|.......|...}.v.|.4....|.......|.4....|.Rich..|.........PE..L...9..c.....................t......]@............@..........................p......C........................................j..P.......X...............................8....................`......h`..@............................................text............................... ..`.rdata..0t.......v..................@..@.data................`..............@....rsrc...X............J..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26
                                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_11df57f9-a911-4a76-ad6c-3fa73011ab48\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9417177043794801
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:8E8NzE8Ow056r96E6jjJnZrMbzuiF2Z24IO8Nj6t:M5EjL56rwjGzuiF2Y4IO8e
                                                                                                                                                                MD5:CF648F77C74B5C764523BD3D3BB987AE
                                                                                                                                                                SHA1:1BB3886995381BA9B164FC199D60926DD1CC764E
                                                                                                                                                                SHA-256:40A2EADB02CFB712123B01EDA0008738DF74F90E217B871816EBACFBA962F3E9
                                                                                                                                                                SHA-512:E1980C00D73498C337B345F97A0790D6F5F7D8E3005C15D73486F9691BCDAC39D48BB55569D31D71090688BF48896EBBA50AA55ED1F16AA5B4B457289829B1FB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.8.3.3.0.7.4.3.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.d.f.5.7.f.9.-.a.9.1.1.-.4.a.7.6.-.a.d.6.c.-.3.f.a.7.3.0.1.1.a.b.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.a.1.9.f.f.2.-.a.0.9.8.-.4.7.0.4.-.a.7.0.b.-.a.e.f.c.9.3.2.2.5.1.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.e.0.-.0.0.0.1.-.0.0.1.4.-.2.4.a.9.-.0.8.0.7.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_312dbc34-0135-4795-993d-44365049eb94\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9418297882331839
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:OHE8Nza8Ow056r96E6jjJnZrMbzuiF2Z24IO8Nj6t:Ol5ajL56rwjGzuiF2Y4IO8e
                                                                                                                                                                MD5:7EA51700DE506FB851D5689B102DC0AA
                                                                                                                                                                SHA1:B7DF625ACC6EA62E04EBF89DB63F34041C14ECE2
                                                                                                                                                                SHA-256:7F7A07A8ED67A7121FBF36EDF664549A54861B986D80472B0680A8CDF47D3B46
                                                                                                                                                                SHA-512:79A4804A4931C3FAD53F1A8AA922F2D962D533EBA739B2A3A119357F7FEA918C17E849BFCA9CEDC7FD333D248373F39C7E4F09814782439F12DC242ED2E22553
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.8.2.1.4.2.4.4.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.2.d.b.c.3.4.-.0.1.3.5.-.4.7.9.5.-.9.9.3.d.-.4.4.3.6.5.0.4.9.e.b.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.2.a.7.b.7.3.-.3.0.4.8.-.4.f.c.7.-.9.e.d.6.-.b.8.f.f.3.6.1.e.1.0.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.e.0.-.0.0.0.1.-.0.0.1.4.-.2.4.a.9.-.0.8.0.7.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_3d419301-bf8a-4dc3-ab87-97d54a9e0356\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.948255186733817
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:pYLE8Nzf8Ow056r96E6jjJnZrMEzuiF2Z24IO8Nj6t:SR5fjL56rwjhzuiF2Y4IO8e
                                                                                                                                                                MD5:66F68F7ECC34A463B4C3F0306689D5F8
                                                                                                                                                                SHA1:8FAAAA7E058B053C9A38771317F2B46FFC766B61
                                                                                                                                                                SHA-256:1A20669C2B084C3FAB5237DC3FC0F372C42D151FDB03E48A8E48D270EC9D709B
                                                                                                                                                                SHA-512:264B5AE2D9115709EBD9AB448F9C9528C199C219FAAE46E83C0A9CB973A1D965590EFE285449F3B79CB77C945D96F6529A195EE8526B316BBD1E6965AB090B7F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.8.4.3.9.4.0.7.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.4.1.9.3.0.1.-.b.f.8.a.-.4.d.c.3.-.a.b.8.7.-.9.7.d.5.4.a.9.e.0.3.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.0.5.f.6.e.5.-.d.c.7.3.-.4.6.0.9.-.9.0.e.f.-.2.7.a.e.f.2.a.c.c.1.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.e.0.-.0.0.0.1.-.0.0.1.4.-.2.4.a.9.-.0.8.0.7.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_457182eb-5933-493a-bcc4-dd0068772e19\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9085222453180201
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:2QF8Nz18Ow056r96E6jjS3ZrYFzuiF2Z24IO8Nj6t:S51jL56rwj/zuiF2Y4IO8e
                                                                                                                                                                MD5:54049390F02138ADCACEE0F34E772D96
                                                                                                                                                                SHA1:FC4B5BB0AFD96A76466DDF94B2A0563F61A1BF00
                                                                                                                                                                SHA-256:130DC150C0FEE61D611B21B473153104A47B807397E7E3DDFCDF16D43DEF51F4
                                                                                                                                                                SHA-512:B242F2EAB5175E8DE5C1796E21F696202750C8E3E911B2AC1AE8872107007C27C27459E4F09D17A20E535310C439123FCC50865A3FC668CA075461C11E55D5E5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.7.8.3.3.4.6.3.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.7.1.8.2.e.b.-.5.9.3.3.-.4.9.3.a.-.b.c.c.4.-.d.d.0.0.6.8.7.7.2.e.1.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.2.6.6.6.d.a.-.e.3.c.5.-.4.a.8.0.-.9.6.0.3.-.6.5.f.e.4.1.6.c.f.6.0.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.8.8.-.0.0.0.1.-.0.0.1.4.-.2.f.e.d.-.9.c.0.6.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_64aa4c50-a1b6-477f-81c5-7c1101021e37\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9487587411601649
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:cLF8Nzg8Ow056r96E6jjS3ZrYKzuiF2Z24IO8Nj6t:ce5gjL56rwjgzuiF2Y4IO8e
                                                                                                                                                                MD5:2545812E24EA4EFD267798386EA8998B
                                                                                                                                                                SHA1:A0C5984AF5BD3B53C92DF0FEAEE7221BD6D097A3
                                                                                                                                                                SHA-256:557CCE97C1C89D5F9A8E3DEBB1F295322CCFD17BC1912072C4FF79DF109DD722
                                                                                                                                                                SHA-512:447546D10B4BB9D830CAE41B803895FE572F05C4F1AC78AF20F8B407E9049C255E41C0723C2EDC2CEEF3EB2E7178C9CBD55644399A16C044B2D2CAB351A1D860
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.8.3.4.6.3.1.4.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.a.a.4.c.5.0.-.a.1.b.6.-.4.7.7.f.-.8.1.c.5.-.7.c.1.1.0.1.0.2.1.e.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.0.d.0.1.6.e.-.3.5.4.6.-.4.f.a.7.-.8.3.f.b.-.1.0.c.4.9.a.9.2.4.9.2.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.8.8.-.0.0.0.1.-.0.0.1.4.-.2.f.e.d.-.9.c.0.6.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_782df4d4-a9ed-4ef0-9c2b-b94a67192a7b\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9020563213787245
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:5E8NzB8Ow056r96E6jjJnZrMCzuiF2Z24IO8Nj6t:L5BjL56rwjHzuiF2Y4IO8e
                                                                                                                                                                MD5:ACC736A23F26F9634B903E759939AB7F
                                                                                                                                                                SHA1:D088E7E7273EEF3948F18D384B8CB1AB829B3A22
                                                                                                                                                                SHA-256:408D5ECE184A38A4550E0742AB6D39652DE8D6F5166F3BA7D20047EDF13FCDD2
                                                                                                                                                                SHA-512:BB55CACF9AB1FD9E5030A3783010B19380F91A826A1B49176FE9F5E477AFD1313F7EA8211BED3BD3FAF8C9D4600B3775FC262EC5C3F236941C3F45376DB281F8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.7.8.3.7.2.4.8.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.2.d.f.4.d.4.-.a.9.e.d.-.4.e.f.0.-.9.c.2.b.-.b.9.4.a.6.7.1.9.2.a.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.c.f.4.3.0.3.-.a.7.7.f.-.4.5.c.f.-.b.6.b.5.-.c.3.f.2.b.3.6.0.2.c.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.e.0.-.0.0.0.1.-.0.0.1.4.-.2.4.a.9.-.0.8.0.7.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_7ac4df01-ceba-4e94-89d2-844c94f59c45\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9420028760937459
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:nE8Nz18Ow056r96E6jjJnZrMbzuiF2Z24IO8Nj6t:F51jL56rwjGzuiF2Y4IO8e
                                                                                                                                                                MD5:DE816D05E9F3C4F14CCD122BEF2D8290
                                                                                                                                                                SHA1:B838768EF586E612010B6C1B2C82DA2EAD5AE0BB
                                                                                                                                                                SHA-256:6A77770CBD4017B4A93638DBD487053498546A93791ED39CBDD76CAE978FD852
                                                                                                                                                                SHA-512:FA87CB6BC58E77DFDF30961D6AB1A827BA6EA46D6ECB979BC712B77A53606C7B372684117A653A7633DE1797432567B53A277A168788059892822DD9E0790379
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.8.0.3.2.9.0.3.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.c.4.d.f.0.1.-.c.e.b.a.-.4.e.9.4.-.8.9.d.2.-.8.4.4.c.9.4.f.5.9.c.4.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.f.0.c.6.9.4.-.5.1.3.3.-.4.0.3.8.-.a.0.0.d.-.6.1.c.0.4.c.9.b.1.f.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.e.0.-.0.0.0.1.-.0.0.1.4.-.2.4.a.9.-.0.8.0.7.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_9507a248-5cec-477c-965b-79a1daac08d5\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9285531662345988
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:5F8Nz78Ow056r96E6jjS3ZrYCzuiF2Z24IO8Nj6t:Y57jL56rwjYzuiF2Y4IO8e
                                                                                                                                                                MD5:5E93C8434A167D92016B5AED5761AFB4
                                                                                                                                                                SHA1:8B8220B4FA3A73A420B369AF3021BEF3D8CA741C
                                                                                                                                                                SHA-256:D750D0F22BD5E14F4432B1417877D3FDB9E5BA2452157B0A178F7CF20AAC3101
                                                                                                                                                                SHA-512:23BA7269FB9ACC1708B6CB68590A5FE5BA3657D1A43E9A8529C5495289778E66BE0E7A99273D8D334095F6CF68C01C097D75BCE843C38BD4C603C42821B11F3E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.8.0.8.5.1.9.4.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.0.7.a.2.4.8.-.5.c.e.c.-.4.7.7.c.-.9.6.5.b.-.7.9.a.1.d.a.a.c.0.8.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.7.5.0.4.9.3.-.2.2.e.0.-.4.e.3.4.-.a.e.f.4.-.d.2.0.d.d.5.6.4.6.e.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.8.8.-.0.0.0.1.-.0.0.1.4.-.2.f.e.d.-.9.c.0.6.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_b4010589-7351-456c-928a-338198f9d087\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9358127774326155
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:+rRiF8Nzc68Ow056r96E6jjS3ZrYDzuiF2Z24IO8Nj6t:+Nh5ZjL56rwjJzuiF2Y4IO8e
                                                                                                                                                                MD5:1EBF86EC9D3E2EA2D3BD8F3A4554181B
                                                                                                                                                                SHA1:39AC1A94A7D33082D618B2565DBA750037CC771B
                                                                                                                                                                SHA-256:E936E69C50A83C2B20D9D98B1B973BFC700D6A370B070E1E4195DA30403F8302
                                                                                                                                                                SHA-512:CDD734BF235BE46C3A8EF3E24B9D7C2E5A0C8E1A1E84358BFDD9DD55D86C97976EAE517B5252A0BFBB8F729FEA85F0F6C9EDDAA11EF5DB9F97BA49BB7FBDC38B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.8.2.4.3.1.8.6.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.0.1.0.5.8.9.-.7.3.5.1.-.4.5.6.c.-.9.2.8.a.-.3.3.8.1.9.8.f.9.d.0.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.b.e.d.b.3.d.-.2.2.1.1.-.4.2.a.5.-.8.9.7.6.-.5.a.a.b.7.2.c.3.7.1.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.8.8.-.0.0.0.1.-.0.0.1.4.-.2.f.e.d.-.9.c.0.6.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_231ce3d8-5135-43dc-a832-9839be86e7db\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):1.0043834928951267
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:ksTa5CYdmPIC4s2tYqOoA7Rh6tQXIDcQnc6rCcEhcw3r3/j+HbHg/opAnQr39DD8:uan4dw056rwjS3ZrYTBzuiF2Z24IO8+
                                                                                                                                                                MD5:085966659594E5005A50FC88524876D7
                                                                                                                                                                SHA1:D67F74A627A9BB31E8D7A523A22F6824FDAA839E
                                                                                                                                                                SHA-256:7B4D4C622153DF8EA6973A95C498081E5D081B3B98583B8ACD6F393BACDE9CC3
                                                                                                                                                                SHA-512:1074BB52C622B6EF0F5579383911AFE1110F5BFC32D6A8EFD05D3DC2594375D9A17359850FF13AA47213B9CB0D164DC882090C28F0CA612CD1B7C506BC2684D1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.7.9.7.6.2.1.7.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.1.c.e.3.d.8.-.5.1.3.5.-.4.3.d.c.-.a.8.3.2.-.9.8.3.9.b.e.8.6.e.7.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.2.e.9.6.5.4.-.f.4.7.9.-.4.0.3.0.-.a.f.6.8.-.0.7.c.e.6.9.7.c.1.c.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.g.m.2.m.X.U.R.e.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.0.-.0.0.0.1.-.0.0.1.4.-.7.1.2.9.-.0.f.0.5.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.8.9.3.3.a.c.f.a.9.a.c.8.7.a.0.f.f.a.3.b.e.b.b.1.e.c.d.7.6.f.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_2bf57861-c4ef-4b8b-97e9-ae95bb3c92d5\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9172770899521122
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:ukWa5CYdmPIC8s2tYqOoA7Rh6tQXIDcQnc6rCcEhcw3r3/j+HbHg/opAnQr39DDm:Pan8dw056rwjS3ZrY3zuiF2Z24IO8+
                                                                                                                                                                MD5:37F890C7D30489AA64ECFF7437805BDE
                                                                                                                                                                SHA1:2180A0E51B5CAB9F287C767CBCB5592865DD3F09
                                                                                                                                                                SHA-256:6E79A87AC3037A21654B5565E95DE340F11FF6ED30949C798124EBE46043A1B0
                                                                                                                                                                SHA-512:460BCA4F06AF479CC3ADA84A19F276729E2678F966AB8EB373C31FBA8572D6587B1FE86D9E66A78BE72E205703716CC724D40167069523C3994D10CC121DDCD6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.7.3.7.2.3.8.6.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.f.5.7.8.6.1.-.c.4.e.f.-.4.b.8.b.-.9.7.e.9.-.a.e.9.5.b.b.3.c.9.2.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.a.5.7.e.a.3.-.1.c.3.3.-.4.7.b.e.-.b.1.3.8.-.d.b.6.6.2.f.2.8.7.d.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.g.m.2.m.X.U.R.e.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.0.-.0.0.0.1.-.0.0.1.4.-.7.1.2.9.-.0.f.0.5.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.8.9.3.3.a.c.f.a.9.a.c.8.7.a.0.f.f.a.3.b.e.b.b.1.e.c.d.7.6.f.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_31ad85ba-b8f8-437e-acc5-4874b249f007\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9570101763760863
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:Wv1a5CYdmPIC9s2tYqOoA7Rh6tQXIDcQnc6rCcEhcw3r3/j+HbHg/opAnQr39DDb:nan9dw056rwjS3ZrYKzuiF2Z24IO8+
                                                                                                                                                                MD5:15AAFB72D39EC78980202ED72E00200B
                                                                                                                                                                SHA1:A8E90C235F41B9ECC0A25BD3522D89841B577AFA
                                                                                                                                                                SHA-256:58BEBEB03603BAF50162B5FEE690F510878B223BF8C6E2C5FF4E4285E68B969A
                                                                                                                                                                SHA-512:1DC47EA6ABB710D117D21533CFF64C0C18AAD847562C864EE56DD535171D7F71DEC550FE8FDF0618A3FC8D1BFDCD1C3BA9FE241E8E7058716ACC81C772F9832C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.7.7.1.8.5.6.2.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.a.d.8.5.b.a.-.b.8.f.8.-.4.3.7.e.-.a.c.c.5.-.4.8.7.4.b.2.4.9.f.0.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.4.c.0.d.b.a.-.4.7.d.e.-.4.9.c.2.-.a.6.8.2.-.d.2.8.7.e.7.4.3.6.e.d.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.g.m.2.m.X.U.R.e.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.0.-.0.0.0.1.-.0.0.1.4.-.7.1.2.9.-.0.f.0.5.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.8.9.3.3.a.c.f.a.9.a.c.8.7.a.0.f.f.a.3.b.e.b.b.1.e.c.d.7.6.f.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_462ceb47-b992-432d-8264-7ff329454d6f\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9302268779181179
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:6zHjqa5CYdmPICPs2tYqOoA7Rh6tQXIDcQnc6rCcEhcw3r3/j+HbHg/opAnQr39Y:canPdw056rwjS3ZrY9zuiF2Z24IO8+
                                                                                                                                                                MD5:B735CB89093B533DABF186D0711EAEF8
                                                                                                                                                                SHA1:39A7638C5F2499204E6DBAA4A05A0D61FC8EAE89
                                                                                                                                                                SHA-256:E89B497D5957D0DCB2085D6E6414C5369F993FE668F6C9D1266B76DD0326FAC4
                                                                                                                                                                SHA-512:3D43F07201B943CB936F8E9DF58574296C3697C49EA8D7AD558CFF6B841D00300477A383471816CC8B28E415387B7521E1A8C4C9BB1D1CC8581043EF681DC697
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.7.5.7.2.3.2.1.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.2.c.e.b.4.7.-.b.9.9.2.-.4.3.2.d.-.8.2.6.4.-.7.f.f.3.2.9.4.5.4.d.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.1.d.d.e.6.5.-.4.8.d.9.-.4.9.1.a.-.8.a.e.f.-.f.d.a.e.e.0.2.d.0.3.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.g.m.2.m.X.U.R.e.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.0.-.0.0.0.1.-.0.0.1.4.-.7.1.2.9.-.0.f.0.5.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.8.9.3.3.a.c.f.a.9.a.c.8.7.a.0.f.f.a.3.b.e.b.b.1.e.c.d.7.6.f.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_793f1f16-da2c-4abb-bbfb-a3182d08cc53\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9571986676365808
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:GOmantdw056rwjS3ZrYKzuiF2Z24IO8+:GBantdL56rwjQzuiF2Y4IO8+
                                                                                                                                                                MD5:17AA447409FC21110260DF52C345720D
                                                                                                                                                                SHA1:5313C50FFFCC8A4230962E0E8D786CC591B73E0E
                                                                                                                                                                SHA-256:B8DE22DF432F6CE7FD8CAA44F79699BE0350117C6AB343E0EEB3F7731425014F
                                                                                                                                                                SHA-512:54F8FBB7ED96AFD06A85B78E2665C9CA20DC3A0959AF9668CB716CDEF1BB346EC018D56DD8C47C92A658E1840C29ED7CA53EFC8E18D4503ABE26BC17F3223055
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.7.8.0.9.4.0.6.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.3.f.1.f.1.6.-.d.a.2.c.-.4.a.b.b.-.b.b.f.b.-.a.3.1.8.2.d.0.8.c.c.5.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.1.6.2.3.2.e.-.c.8.c.7.-.4.f.6.3.-.8.7.b.a.-.f.f.9.3.d.8.c.6.3.9.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.g.m.2.m.X.U.R.e.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.0.-.0.0.0.1.-.0.0.1.4.-.7.1.2.9.-.0.f.0.5.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.8.9.3.3.a.c.f.a.9.a.c.8.7.a.0.f.f.a.3.b.e.b.b.1.e.c.d.7.6.f.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_846b0825-30d1-4e15-a1b5-b4019b8a9ef3\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):0.9567307371811344
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:gZdNka5CYdmPICLs2tYqOoA7Rh6tQXIDcQnc6rCcEhcw3r3/j+HbHg/opAnQr397:AanLdw056rwjS3ZrYKzuiF2Z24IO8+
                                                                                                                                                                MD5:79E31022B309EE7BBD5D9939E98F52B8
                                                                                                                                                                SHA1:919C57B46F6D6AF2574F99E2D3C39314E3158E8F
                                                                                                                                                                SHA-256:0D0893D76677CAE2970B445CF7E5F593EA24869838687C2F26A813688D04BA04
                                                                                                                                                                SHA-512:57265BDC03AB911C37D19237361FD9D4375EF61214CF3E7AA49F46B174A35CDEFB5C9B8A1AEA99F6D141B5B811431870C26263ACEFB08AD6D91B1F6E0F1A7121
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.7.6.4.2.5.6.0.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.6.b.0.8.2.5.-.3.0.d.1.-.4.e.1.5.-.a.1.b.5.-.b.4.0.1.9.b.8.a.9.e.f.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.3.6.7.2.d.a.-.4.5.f.f.-.4.6.8.2.-.b.c.5.9.-.5.3.f.0.2.c.8.0.7.4.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.g.m.2.m.X.U.R.e.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.0.-.0.0.0.1.-.0.0.1.4.-.7.1.2.9.-.0.f.0.5.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.8.9.3.3.a.c.f.a.9.a.c.8.7.a.0.f.f.a.3.b.e.b.b.1.e.c.d.7.6.f.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_9c2ce2f8-bddb-4357-b487-46476e6771ba\Report.wer

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                Entropy (8bit):1.0110414557284957
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:danEdw056rwjS3ZrYT4zuiF2Z24IO8+5:danEdL56rwjuzuiF2Y4IO8+5
                                                                                                                                                                MD5:8EFADA145FDA0006BC5526E53E6E69E5
                                                                                                                                                                SHA1:1FCFA9574158190E93E0EB1190BC0C3937932239
                                                                                                                                                                SHA-256:7CBCEBBD43EF0C4907D266CA55D621C1FFBA3507B3695C5B96ACED1099D10277
                                                                                                                                                                SHA-512:99E4CBE459A75B544ADBCBAEED8DBBAC7598FB92EC8A5ED3BBD16B97233133398A782302AD8445BB7A17CBACD046877E66FDC2D158CE249479D61D599C233A60
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.7.1.8.0.8.7.2.3.6.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.2.c.e.2.f.8.-.b.d.d.b.-.4.3.5.7.-.b.4.8.7.-.4.6.4.7.6.e.6.7.7.1.b.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.f.1.3.c.7.2.-.7.f.7.2.-.4.b.3.1.-.9.2.4.7.-.9.1.3.5.e.4.7.f.5.5.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.g.m.2.m.X.U.R.e.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.0.-.0.0.0.1.-.0.0.1.4.-.7.1.2.9.-.0.f.0.5.4.7.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.8.9.3.3.a.c.f.a.9.a.c.8.7.a.0.f.f.a.3.b.e.b.b.1.e.c.d.7.6.f.0.0.0.0.0.a.1.6.!.0.0.0.0.d.d.8.a.e.e.6.2.f.4.4.5.d.b.5.6.4.9.8.4.0.f.9.f.f.b.8.c.b.3.3.d.3.0.4.2.5.4.f.3.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.y.g.m.2.m.X.U.R.e.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BF6.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:52:54 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):62028
                                                                                                                                                                Entropy (8bit):2.3396318094818365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:ODFNFlTvHoeFBFaz60FWPF0WTAGC/fpn1NwR:8DFlTvBFaW0FKFbClW
                                                                                                                                                                MD5:974ADD2AFD022C93D8DE356BBC42845A
                                                                                                                                                                SHA1:AD41478A51ABDB613B0A951696586E9EBD78BA70
                                                                                                                                                                SHA-256:F770468022ED44C11223CD40F5980612F04080040E0059F96155D00F3E169F43
                                                                                                                                                                SHA-512:6A85703E58C761FA83FFA453DD65358E3EE4234EC3CD36BFE1AA2279CC3B2336FF21F2C662543EEC267CCC6EA3D4F50E5F8353EB33849EB737F0C856899B875B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f....................................$...l...........:0..........`.......8...........T............!..T.......................|...............................................................................eJ..............GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D6E.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8434
                                                                                                                                                                Entropy (8bit):3.702862838540738
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJiPHk6HF6YEIlASUtZgmfsEpBJ89b2CsfmSm:R6lXJIk6l6YESASUtZgmfsF2Bfa
                                                                                                                                                                MD5:67229C66850AC1B511E424D69E699975
                                                                                                                                                                SHA1:B462B81976314360715AA15CF33ABE62B7AC9F94
                                                                                                                                                                SHA-256:2EAD7531BEFCAC03665C43FC019ACE52F259CAD25304E22EC92A05BE9551E7C9
                                                                                                                                                                SHA-512:6C7B39342993136857CDBDFCABDE72E7A7DC005AA3461903690C3A1A31FDDAC836054BE264FC1F89E7A673400921DD504EB12C2D7922AE84943A08D4AF898695
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.4.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DBD.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4722
                                                                                                                                                                Entropy (8bit):4.4873148240263685
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYThYm8M4JdNHFl+q8v5N5VPDqId:uIjf8I78w7VeAJdNK5jRqId
                                                                                                                                                                MD5:FD77323AAE1661277399B444D228CC2A
                                                                                                                                                                SHA1:7F559311E80C35853C01544598482510D5D41730
                                                                                                                                                                SHA-256:E9112B674B21C8962BEF9C91A2EE96A088435FB1C931C4B3FDB82AA326DC0129
                                                                                                                                                                SHA-512:EBFE1AB4821B72ACC909F766E224020FB8B353CF2E63A04E6D69A4D7DB94921C7E3C5D3A3D15546055E32D5478E55C0F09F9572C897B48E7BD9F0E4A6D36A5B5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER93A7.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:52:55 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):76108
                                                                                                                                                                Entropy (8bit):2.400306530253979
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:lQifXyDglTvLHx5RzFwqTul3t7lzF0WTAGC2qMawn41DW:lQqiDglTvjxfm9JplzFbCe49
                                                                                                                                                                MD5:997644F12CB7205EAC242A2EC84AB677
                                                                                                                                                                SHA1:43504DDBF5AB6890503E43E144C72726307512AD
                                                                                                                                                                SHA-256:AFA5B83C3F0F2411822D42F894BEB06634B876C1011E9EEB3D67C9AAFDE616B7
                                                                                                                                                                SHA-512:ADE8C40929E9874F03F1DD99532FC1798511131262858D6FED73B2E8C21CDC959F7D17BAF5D1103876C4E3678929B3CED6150A1253B42CF0379280349B3D38F9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f........................l...........<...t.......4....4..........`.......8...........T............%..........................................................................................................eJ......4.......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9473.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8434
                                                                                                                                                                Entropy (8bit):3.702537291890983
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJiPI6b6YEI7SU8oZgmfsEpB089b/CsfrVm:R6lXJN6b6YEUSU82gmfsy/BfU
                                                                                                                                                                MD5:192BC9B20B952C9DA212596D94ADFCA7
                                                                                                                                                                SHA1:58F02BA91D0049CAF8242FD8FD703C8300C4A781
                                                                                                                                                                SHA-256:8C4F735F4907CCC41A1207CFC42B2E0E37D73412B8B617895BF7DDD4246F3E97
                                                                                                                                                                SHA-512:9376A2AF290E2FB041D62140B29CB74ABDD191959B4D9DB0D64A5D43394489402BDA21FAF92975CAE79662F9B7ADCE37A3B1F797C1077268CB78EEFB5ED267F8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.4.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9493.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4722
                                                                                                                                                                Entropy (8bit):4.484512517881107
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYT8Ym8M4JdNHFQ+q8v5N5VPDqId:uIjf8I78w7VeZJdIK5jRqId
                                                                                                                                                                MD5:53D03F18B5605276057E14804AD48E9C
                                                                                                                                                                SHA1:0FA8D774DA5819EC126F5FA65906A405047FB306
                                                                                                                                                                SHA-256:B65CC501868974E0A0F25FC3AE2ED8585F3D68DA485A7E388A6A2919DB185F62
                                                                                                                                                                SHA-512:8B857600A9F4919F89D209C97CF0A84177C27B9F993F07DB724214857443813C76C1355FEBF22F0655DCD3A5AEBA5E130E68DC910E6DA0A4004F86EF2893F8F6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9656.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:52:56 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):87578
                                                                                                                                                                Entropy (8bit):2.2686825266320723
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:TQA8vFwTblTvJv0nRzsnIY0Biq7lzF0WTAGr/qjeCHXk9208sx:TQA8v2flTvZ0RUIDMQlzFbrqH0Ys
                                                                                                                                                                MD5:778F6A6AE4F015BFADC612E7E323B31E
                                                                                                                                                                SHA1:89E1D6627B2DD163BA8526C02185B7CCCB254725
                                                                                                                                                                SHA-256:08F1F1D2C842E3D80333B6DF77B3DDA4E3FCB7E7AEC0E2AF3689A638119F0438
                                                                                                                                                                SHA-512:7E3B58EABA5631EA8BB1D39810197691A744256BCBB04C495C0CD16AAADD386D6689EB601BCF1A87DC2A5EC6A29C7069F74C6778DBEF419F541D72E486D5C845
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f............T...............h.......<................<..........`.......8...........T............&.."/......................................................................................................eJ......D ......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9732.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8434
                                                                                                                                                                Entropy (8bit):3.701322191091698
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJiPc6UC6YEI7SU8oZgmfsEpBa89bECsfysm:R6lXJ56J6YEUSU82gmfsAEBf4
                                                                                                                                                                MD5:AB1B4A2820BE5C01440BD6BE64F730EC
                                                                                                                                                                SHA1:A5A508F9F93A40297794C87FF7309BB796D33AE0
                                                                                                                                                                SHA-256:F97F0A06CE54C6EE6C5426A58C406C7CF32D53C0963E7A274CA54C5BF359C42A
                                                                                                                                                                SHA-512:4FC252C5037D2CCCE1A7DE8F1883BDC4961E6D90C3D1099F46AA554DD77E871C64BCC203D2B00178CE50587FA4FBD1CB8D56F78101ED224DA7E0E719D4652F3A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.4.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9752.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4722
                                                                                                                                                                Entropy (8bit):4.487337119069883
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTRYm8M4JdNHFT+q8v5N5VPDqId:uIjf8I78w7VeQJd7K5jRqId
                                                                                                                                                                MD5:287C213E5AE01270268F1743BC2D8B42
                                                                                                                                                                SHA1:286529F615377387D9C4E20CD583B86A64F3ED43
                                                                                                                                                                SHA-256:BF80C5A120D6CCDE525856BD14AB958A98DB2543F34157F0D9A8F09B56C08B33
                                                                                                                                                                SHA-512:C1A746750C3C09CB1B34360580A4764FD6D8886EDE17A74585C21A3FF499B1B9C9F61EBE5F77C048D9950F400668911F58E6E5F64F1075199FF7B4E6B127875F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9954.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:52:57 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):87154
                                                                                                                                                                Entropy (8bit):2.2816938289255897
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:vQmkvFwT0llTvHRPARzvCFdq7lzF0WTA/CaAqkq0mZIxMD8DIQ3:vQmkv2gllTv9ujmQlzFOCawWIxMQ0O
                                                                                                                                                                MD5:2942DB1C690BD81975F4EA533B49BE37
                                                                                                                                                                SHA1:50F3FA636A97B1B203E4E66CDC9C37C48A560FDB
                                                                                                                                                                SHA-256:4FDC3E6B1FF393853E908DBA6D6F5E9131ED44475393636674BE482D13D12216
                                                                                                                                                                SHA-512:DCE3AE4E4732B7C812C71C5531CCEEBEF8D8562A8E4576F72ABFB97C6DC0526943B345C370EFD3103CF98BD17A0C7D1A8C7A050EE82FECD88AB6942CF522A039
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f............T...............h.......<................<..........`.......8...........T............&..z-......................................................................................................eJ......D ......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A01.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8434
                                                                                                                                                                Entropy (8bit):3.700849158369179
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJiPt606YEIZSU8oZgmfsEpBP89bNCsfivm:R6lXJI606YEWSU82gmfszNBfz
                                                                                                                                                                MD5:744B1F0B6462EDABA899CD9067C9F7E0
                                                                                                                                                                SHA1:8DE17778548A38F9606805981CDF7E047788D67F
                                                                                                                                                                SHA-256:35BB21FAD993DAE2EC883F4385A488C5052141797788A9671F8ADE1326B11CD7
                                                                                                                                                                SHA-512:B6F21F451DB3FCAA81A3F90516945E520A26625CE68808926544A3C1F2D8B0FDC30CA80803FB8AEB27CDCACA990E71BAF299FCEAA4C8C002B2ED14F39BDEA0D0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.4.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A40.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4722
                                                                                                                                                                Entropy (8bit):4.485468830421247
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYT0Ym8M4JdNHFvw+q8v5N5VPDqId:uIjf8I78w7VeBJdHwK5jRqId
                                                                                                                                                                MD5:7F115129F40EE8476FAB275D64F22E72
                                                                                                                                                                SHA1:0974CB21A86D564FF1520EA23D2281B23A310864
                                                                                                                                                                SHA-256:49A5DB8E23581BEDC7A9D6F6DADFA6E55A77E7A18E6A2F0D659E625CFB8BB77C
                                                                                                                                                                SHA-512:9837A4CEFCEEEB2FB0989C3CFE3765D4A6DF232B10E0D6BDA26F93A92DA80ABD0A8E37B7F51CEC9A2978076AABEBB2B34E74E908CF1368ECC2790FE3241C7596
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CDE.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:52:58 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):100820
                                                                                                                                                                Entropy (8bit):2.3533977183872405
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:jQmV0jX3lTvuW+RzWCoFrYy51xq7l9pF0W5AGrBUqIq+jhA8KE1Wbs:jQmazlTvZYysy5nQl9pFVrQjhAEN
                                                                                                                                                                MD5:51DFDADAAAAC26ECCC1CAF7F88E2583A
                                                                                                                                                                SHA1:095751F106E7F0EAEE3532F137CCC359C669F953
                                                                                                                                                                SHA-256:677BBB09DE4134E2CEBBCD3AD39137E4F6DF0B1E1B93BA47DF32E93F9E7D1FA1
                                                                                                                                                                SHA-512:E8350D5A6BDAF4E66B4FFC20CE1BC06E269444C7894197E19A3DFBB0AEEE45C1C9286524C1B82FE4B9C4B80E7EB996464622E70F6F66ACD63368B0BE4ECF822E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f....................................<................?..........`.......8...........T............,...\......................................................................................................eJ......t ......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DE8.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:52:58 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):60740
                                                                                                                                                                Entropy (8bit):2.326926348718114
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:P+KkD3lTvF7gq7dUD9L660FvlKW+AGRwe/oT887:mHD3lTv5h0Z0FvlMRNoT8
                                                                                                                                                                MD5:5095038249865F0B37F265DEC11B8419
                                                                                                                                                                SHA1:BECE053E171A2BE079E49944B563D1DB154B33F2
                                                                                                                                                                SHA-256:CD9E4388D28D10BA1A7E92AB3001A8C54E0735DC900CD4A2D5DA1FF530E7D101
                                                                                                                                                                SHA-512:A07000C82A97AD6F048827B2726F1B1FDAD9AB6F31F99D1DA25B8890FEC9474EB779DF72A3C25CF6E300229944BA5E43C1508FA9740C849154ED13E7C4846B41
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f........................(...........$................/..........`.......8...........T...............|...........$...........................................................................................eJ..............GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E36.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:52:58 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):60344
                                                                                                                                                                Entropy (8bit):2.314623713595661
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:1R0ExBTvPSnK4MNt0Ftm4LAsKY3DIjD2G:LdxBTv8K4MNt0FtmGKYMjD
                                                                                                                                                                MD5:153A54CDB5516226D22428EDC04F7D65
                                                                                                                                                                SHA1:39DB92CC95F600E4F87AB1928126563DD1DEAF20
                                                                                                                                                                SHA-256:AF4BA3C531D41B566CDDBA2CF8EADACC388FDEEAD28AA081B67531CF5AF99B85
                                                                                                                                                                SHA-512:762D98A8B76F2EDDD85E668CE3DAB72F8AA1CC30CF4FC93B571DCB8E10330056FA38443A3011B5FDA2708FF2B32C560543D9A122D30108E45F9805D9D5726B29
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f....................................$...............&/..........`.......8...........T.......................................................................................................................eJ......<.......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F02.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8434
                                                                                                                                                                Entropy (8bit):3.7030612860634475
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJiPa6j06YEIASUNYgmfsEpBT89bKCsfsum:R6lXJ/6Q6YEfSUNYgmfsnKBf8
                                                                                                                                                                MD5:74607F07AFA851FAD333CF409C735EF5
                                                                                                                                                                SHA1:4D7FB2BFA33ECEE53E52DD79314F18B71488CEDD
                                                                                                                                                                SHA-256:FB691353475870DC43B795C983180713D7DB26415465E9B31494A945FCB98BFE
                                                                                                                                                                SHA-512:4C860BBD4AE7EA63B37B554B4A11A8BBA214DF8D879D8786ACF48108F4EFA6A9B83797D3C13DD4426015DC8FC870A3CA9AD7D1ED3E8B43F143BEDF202F5E5833
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.4.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F60.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6400
                                                                                                                                                                Entropy (8bit):3.728455288239234
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbrus6zcL2Yv2n/FXk4FgaMOUr89bKjRasflum:R6l7wVeJrus6QL2YvGEpBr89bKwsflum
                                                                                                                                                                MD5:C340CD95F57976DC7BC94CE1C1ABB03C
                                                                                                                                                                SHA1:ECE8AE31802EEFBA0106127125923EB25F599339
                                                                                                                                                                SHA-256:16E8DECDA4F8BD4853F1C0164B6FFEE26ACE5E299D0533DF7B4D6A4F4CD985CA
                                                                                                                                                                SHA-512:786E4FF363A35BA887762B62D5F373724BA19415F06B7E5E1F89BEC45729EAD954C5EA03487168AD8CCAF18D5EF6B10EFF54F404588DFDAA639245BE58A3D3D3
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.<./.P.i.d.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F61.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4722
                                                                                                                                                                Entropy (8bit):4.488202318004578
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTaYm8M4JdNHF9p+q8v5N5VPDqId:uIjf8I78w7VeTJd1pK5jRqId
                                                                                                                                                                MD5:13DB05728955E69A79733EF29DD6A223
                                                                                                                                                                SHA1:DE924DCF17ED7CFD6A3789DB11C5DD57568A5973
                                                                                                                                                                SHA-256:4B49E2716565D330060B5E5E7C9FC575045E305CF846CA4DB43044495400493F
                                                                                                                                                                SHA-512:45FDC109E177567C29F89AB90EC5CFDBDD33BA0FD3562C69419EDA0FEACBFEBCE6CCAB1C3E35C379E4654E7C4166BB9AC3F7921FDF6AF5E988F69385AF79B08C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F6F.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6404
                                                                                                                                                                Entropy (8bit):3.7274778134652173
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetb7uj6obGYv2n/FXk4FgaMOU089bK/sfiQRum:R6l7wVeJ7uj6oqYvGEpB089bK/sfisum
                                                                                                                                                                MD5:F58FA056EDC0DC690DC929CF4DB1CB25
                                                                                                                                                                SHA1:9F20BACF4757BA87BBF138FC4B845ACAB08F2745
                                                                                                                                                                SHA-256:30B8D31BCA5C9BC2DA646DDF04C0943F295765C5595A7A89A1DC3B975519439D
                                                                                                                                                                SHA-512:A239A1757FCD7C54B7E1FE5FCAF58F64F18874C3899274B810A6C0BFDA085CA73FDF8DCAC898F0DDEB1A99F6D8DBBEF3F4426CDDB781331882B42ECAEDB88C79
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.7.2.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F90.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.487035546374169
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTUYm8M4J9NHFp+q8vHNB5TgJnMad:uIjf8I78w7VehJ9RKHv5TwMad
                                                                                                                                                                MD5:5C24E4CF560682E496C4266C151669AA
                                                                                                                                                                SHA1:D801AC4BAB03BD59E02BB7013B4C482B4800C28F
                                                                                                                                                                SHA-256:7CBEE5B77DB9489755C74471767F5476D1C56B969C202E0E5CB38C52981AD6E7
                                                                                                                                                                SHA-512:E689845EDEFFCA12010ED7755C1172EBBA35738FF0C5946FEA90F564A5E0E6FD7E4B7F4732E71373320CC661696CE5C490A96D38FB0691087037397CBFA0FA54
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FAF.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.485704216725901
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTwYm8M4J9NHFv5O+q8vHNqTgJnMRd:uIjf8I78w7VedJ930KHcTwMRd
                                                                                                                                                                MD5:29FEA86C320EA37538B51949D13FD5F4
                                                                                                                                                                SHA1:2D51B9AD1B206C4D5A62F0AF0EB03F5B4DCCA632
                                                                                                                                                                SHA-256:A6DF3BC3D021FE9C5890D017276BB9D39B21B5CDD9462CFAB49E66A833300B99
                                                                                                                                                                SHA-512:2249666FF3FA194A66F0DDF12670C32BCD3029DE5FBC3445A16683A712C0F2493050B931A6DA1E3AC5BF7AE82311CF728A54B63C4BDC00B808129E13A79C7CAA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA376.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:52:59 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):111616
                                                                                                                                                                Entropy (8bit):2.3324828955389165
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:duQfx4oRslTvPZJX4RzS1WM5n6A7LFqqAKRqTlFpF0i5YGrB8qdYRiBLb2//Ss3r:EQfSXlTvHm+1WQlAcwlFpF5rHBn6ai
                                                                                                                                                                MD5:0E88AD0EDD7234A41732C9B681D7DF40
                                                                                                                                                                SHA1:F943BD1A26A287BE8C1F4A090730C6AF798F6267
                                                                                                                                                                SHA-256:E20649CD0C02248E09DB63E61D32CDAC134DD3F5145835F9E35663A148C2B276
                                                                                                                                                                SHA-512:4AF63E051B67D5468FE5A0C8CF7129B087C0B947A00E2749CB46850D0F030F4024248E68DD520EE17C64FF5D59BD9855B4C27D74F1A5D83A86F8271522892D97
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f....................................<.... ......t...fF..........`.......8...........T...........`7...|...........!...........#..............................................................................eJ.......#......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA451.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8434
                                                                                                                                                                Entropy (8bit):3.6998839306238227
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJiPN6x6e6YEITSUSygmfsEpBG89bWCsfsym:R6lXJo6V6YE8SUSygmfscWBfI
                                                                                                                                                                MD5:BD918F4E6900CD45C770ED0496D21630
                                                                                                                                                                SHA1:BB82A3D9C047F4DCF7AA733C8D8A43E77577919E
                                                                                                                                                                SHA-256:6335B34836EC46033495725575A7A9FBF3BFC1EA79BF589430EF6ABFA63FABC5
                                                                                                                                                                SHA-512:5A64FDEF59BF4B369DFA1FFF637F4C85354DF155DE6C3F9C8A383C6AFE87BC0706424C413D90559B4832A44ECD7CDC16C60D9A4E7CCB78F0556C59E6774A14AA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.4.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA481.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4722
                                                                                                                                                                Entropy (8bit):4.4862339225276235
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTUYm8M4JdNHFx+q8v5N5VPDqId:uIjf8I78w7VehJdZK5jRqId
                                                                                                                                                                MD5:E6CEB6A7E3957272F735765730AF50B0
                                                                                                                                                                SHA1:5A13FAC678C099CABA8B2416F11F1F92D9645B6A
                                                                                                                                                                SHA-256:73F76AB4F068A64254CA2AA84709B31BBA96A3187CA6974BEAE43120DBEEFFFC
                                                                                                                                                                SHA-512:7D56CDD4ACEF904F74B3F7110571FA3643C36F427E2E6058E66A489B54886AA378F7992EEE025CDB3C54A390A05F0AC3589619AE8E3CA317B24BAFA8FE5851AD
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5D7.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:53:00 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):80298
                                                                                                                                                                Entropy (8bit):2.3069676596027566
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:j9k2BTv4PmcN3h81rX3EwKl+mGKydrn5:xLAPmukrX0woGBrn
                                                                                                                                                                MD5:B4F3F950F7C571E83DA55EF1F3D22940
                                                                                                                                                                SHA1:899F7E140F15BD6A786AA7114A465A8FC6D771DC
                                                                                                                                                                SHA-256:06409A6B00844E38371EB3A6AC028A203A78792A87B8F2E352C0F0A9C1FDFBA9
                                                                                                                                                                SHA-512:34393C3341950FB590E2B9D31E875B7C5D1E3725C0070106FCCC17E9B0775E0F7B8CA26A5D7CD2EDB95A1BFEAECB04DEFB04A8D8983A8A15C42CE434CC250598
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f............$...........D...8.......<...|............8..........`.......8...........T............#..".......................................................................................................eJ......<.......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA720.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6400
                                                                                                                                                                Entropy (8bit):3.7245592850846876
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbruX6eLgYv2n/FXk4FgaMOUj89bWjRasfpym:R6l7wVeJruX6eLgYvGEpBj89bWwsfpym
                                                                                                                                                                MD5:94F46513DEF430F198DD1962DE65B258
                                                                                                                                                                SHA1:6B3B19D1014AE04D4637BBE46AF1CB28E3F0FF93
                                                                                                                                                                SHA-256:5DDBE2A43A9CE8A9BF6C29EA0A6A99E73C8C6F6E5104CA5065310B0CF7350D31
                                                                                                                                                                SHA-512:6F2E0B41F179A818E7DA2B9CC183131F50D9678FA4A32DDFFACE47BB9FC1689CA5C94EC9E3B64AE06A096B28AF10C6D6549250445A81B77AE2C878FAF4C3C3A1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.<./.P.i.d.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7BB.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:53:01 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):75496
                                                                                                                                                                Entropy (8bit):2.4082990406161318
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:HjXIpMNlTvgNPhN6WwLerr4PlIiH7l9lKW+AGRIR5cqpdvd:Hj4pMNlTv+PRhrr4eibl9lMR2cqpdF
                                                                                                                                                                MD5:ABEB632442A72F4655ECAEE603C334B8
                                                                                                                                                                SHA1:B6AFA7B9B7484BA97DF3FDA4ED4B588AE2963895
                                                                                                                                                                SHA-256:BF0655A5D025C9C8EF40CAC90F88F4A1B321F9B0F528E80D1E879A3677B71A39
                                                                                                                                                                SHA-512:15D83840387E6B12DDA5FD94CB449B20C9829420876671F41604088CC200B6884F1095D5EA09D58BE6710F5670D7CC101FD19B900E5DC080D7B4E6DAEEA592A7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f........................l...........<...t.......d....4..........`.......8...........T...........($..........................................................................................................eJ......4.......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7CB.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:53:01 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):116444
                                                                                                                                                                Entropy (8bit):2.2614410645822547
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:fQXeW1NIlTvjY7Y3o/wlFpF5rB0MKxwr:f/aM0ESOj5N0MKxwr
                                                                                                                                                                MD5:C71233BF0F4DE549BD44D1F63C08E1CB
                                                                                                                                                                SHA1:CD59610AFB4F6191256727ED7D63AD120F59CFE3
                                                                                                                                                                SHA-256:9987343D02E153ED03E0FBB04D1AC4E31FA2788F0D6B974A2FC20EBDD59CE030
                                                                                                                                                                SHA-512:ED6F130E04475B77A5EED0944EA03380BCA93B66090574B6B15D150E1877FA6C8E2448DF2CE2CA6F52F9EC21B9D047AA19BA9CFB387E3C0C5DB39197CA267A84
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f........................|...........<...t!...........I..........`.......8...........T............7..,............!...........#..............................................................................eJ......4$......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA82B.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.483397598464916
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTMYm8M4J9NHFQ+q8vHNB5TgJnMad:uIjf8I78w7VeJJ9YKHv5TwMad
                                                                                                                                                                MD5:C462EC791158E23A3A40560913A5211B
                                                                                                                                                                SHA1:7C053047C777B00ED58ECCAF9BF0E3B43E0AF876
                                                                                                                                                                SHA-256:C21953EE76E849F63254ADEB8A633A7948852BF276326127F9A3FE55BFE5B8E8
                                                                                                                                                                SHA-512:C88E1B92D1C408F3E621097EB884D482F01366ED784D90B546EB1A707F233B3A985086EB349EA24BC7EFFA1E9F218F821B47289DFBA157D3EBF06C3ECB1C0448
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA924.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8436
                                                                                                                                                                Entropy (8bit):3.7018085251760318
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJiPj+676YEIXSUSygmfsEpBJ89bfCsfz1m:R6lXJU+676YEYSUSygmfsFfBfs
                                                                                                                                                                MD5:27012439AF8C5C3720E14F7BAEA54A9B
                                                                                                                                                                SHA1:A2E4B8942B924FCF3A3D34577CCD76D4BF662F94
                                                                                                                                                                SHA-256:BA6CCBDDF94C10BADC547A7543CCDB717D5866F0DB3118D5A4905D2D254B1FB7
                                                                                                                                                                SHA-512:1E1197EA793742E2379FD8D3B2244890595C4926CF8872F6B898E51ABB8ED689617F050D897A88F00EEF8C4060D77CE18ADD30A8596F8041252929878C317D64
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.4.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA953.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6404
                                                                                                                                                                Entropy (8bit):3.725052707293574
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetb7uR68YYv2n/FXk4FgaMOUG89bf/sfm1m:R6l7wVeJ7uR68YYvGEpBG89bf/sfm1m
                                                                                                                                                                MD5:ABD1E8120D365A13BA0F1A9E5A95945A
                                                                                                                                                                SHA1:1D476C1CB99E0DD086213F78B75B3669D904AE12
                                                                                                                                                                SHA-256:38B7CB512B4B28AE601FD28986C6499F0A6719F3B667A83D9284F624B8C5C021
                                                                                                                                                                SHA-512:E6856B306BDDD4755786B5B22FA8FE0F65D1F0A98512D322A0E5A520A1D19AF2CD9CF0E52E8A9F5A81C960686E63281A216B2EAD8EC9FC70178D546B758EE587
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.7.2.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA973.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4722
                                                                                                                                                                Entropy (8bit):4.489505718006816
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYT4Ym8M4JdNHFHH+q8v5N5VPDqId:uIjf8I78w7Ve1JdPHK5jRqId
                                                                                                                                                                MD5:EC6B002DF7C9710B4B63C1C48A59584F
                                                                                                                                                                SHA1:53DA84DC387DCEAF1D2B4AA0E8F077F5C717899A
                                                                                                                                                                SHA-256:A2DABA8B92A9F8FE6FF1576DAF9D7BDDEC6EB66B86EA90DE0A61C13ED1B2DCC3
                                                                                                                                                                SHA-512:CB2984278615F5257303D1FCCCC23E36FD0F1BB745725622A6EC438FD998EC2D0E4709B6A784D6FC2E171875FC20AE37C16B3A3D55E8969C3B04719242CF7BED
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA983.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.485146556167968
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTcYm8M4J9NHFe+q8vHNqTgJnMRd:uIjf8I78w7Ve5J9mKHcTwMRd
                                                                                                                                                                MD5:6C01C2BF9A38ED5D06169AFFA0472B07
                                                                                                                                                                SHA1:190A7B0CE11B3D78ABDBE99D2C25105152FD93F1
                                                                                                                                                                SHA-256:BB39C1825168565BE30DEBFA2ACA5E9BA79F60386C7D63088CFD957980C145C3
                                                                                                                                                                SHA-512:F067C9A50C3E030ECC906EEB5AD2C44D9D6E63A389C129ABF4D8560B0F65E4994E128172A6D1A1599DC89618F35BBF36AA782D906DC5ACFB2D62CECDC6679E63
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERACBD.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:53:02 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):85894
                                                                                                                                                                Entropy (8bit):2.2452816313376855
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:pOUQQsZ7bBTvkzb6/lXdLgEwKl+m4LAsKMNyOFllWOX:pn1+fBTvkytXdUEwKl+mGKMlRWu
                                                                                                                                                                MD5:2C3C6C4842D26C98A74DBD13A3878BA5
                                                                                                                                                                SHA1:E122A6BB6790BA1BC32DFFDC60AE14681724D043
                                                                                                                                                                SHA-256:F82996AC19F579C2022ECB2BA561126D3B4BE8ECD81C7F876EFB21DBAE8E6765
                                                                                                                                                                SHA-512:11FAD255485DC7CA227D41D3C9F677A1DB8A46C1288BA8A364E83966686436A07D7B2C3FA7B7F902590C01109700515716A84B6D960180D77FA74572556E9CDA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f............T...........D...h.......<................;..........`.......8...........T............#...+......................................................................................................eJ......l.......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD98.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6400
                                                                                                                                                                Entropy (8bit):3.726963333663136
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbruS6YYv2n/FXk4FgaMOUOx89bkjRasfBMm:R6l7wVeJruS6YYvGEpBOx89bkwsfBMm
                                                                                                                                                                MD5:FBA7A5CA9BE9D861F78029278E94CEC4
                                                                                                                                                                SHA1:2A9F764233B140C5C186D5722E6DF4E16801694E
                                                                                                                                                                SHA-256:CC17A89FA9DA0B5F982E07255C5FF01623803A020F8D4B99226FF21459F10FDB
                                                                                                                                                                SHA-512:7923474FCE4929E4796799BE5F35FBFDE526FD14CE64F0BAE866EFF26F1DDCDEBBBBC145F042E00CE185E0C1320240E38E1D88E870347BCD834043D06B885CCE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.<./.P.i.d.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERADD6.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:53:02 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):81318
                                                                                                                                                                Entropy (8bit):2.3688849520536674
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:OLQZElTvpAl0662MLUZrGgl3RvnH759lKdBAoRyp5BpPMG:OEKlTvWl7TZrGivnb59l+RK1
                                                                                                                                                                MD5:52B43079D90ECB3F1839804DD4D884D1
                                                                                                                                                                SHA1:DC862639FB52F202B8AF3B28E7E6BA94B72CFF6D
                                                                                                                                                                SHA-256:08276062F0218C45C195EFD67858EF77D8EB42A407BEA909A5955460FFEFDFAC
                                                                                                                                                                SHA-512:E0DFEB2470C2ADF9FE1A65F2AEB34518DDF8AC1668F85F9DFE5F90B748C267508440A8C68DF6ACDFC6417091498A09198F5182ED2655808BF88D7B4D9CFEC163
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f............$...............8.......<................8..........`.......8...........T...........x$..............L...........8...............................................................................eJ..............GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE16.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.484785052116609
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYThYm8M4J9NHFPy+q8vHNB5TgJnMad:uIjf8I78w7VeAJ9SKHv5TwMad
                                                                                                                                                                MD5:EA643FF2E341D1FE75A1C7396513D5FA
                                                                                                                                                                SHA1:9613C79D27A6BC5428D0370D82E938B349CE3AEE
                                                                                                                                                                SHA-256:4FD942F10A576E265FB2B2EA3BC84C2D9CEBB14AC1AABDCB06BADC28704B92FD
                                                                                                                                                                SHA-512:C90299A63794FD2A4E9AD57BB67D99F7C1EBD2BDD64867D06AACAC5429B6AA71204F6DD54335D35A96545B19A8BAB608FDDC56FCE3B8F17C3DE7766EC79922B2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE73.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6404
                                                                                                                                                                Entropy (8bit):3.7263247221086844
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetb7uN6SYv2n/FXk4FgaMOUw89bk/sfAtvMm:R6l7wVeJ7uN6SYvGEpBw89bk/sfYMm
                                                                                                                                                                MD5:84735122A9CA87072711C3B44FDDEAF8
                                                                                                                                                                SHA1:2FF94DE95BDB4C40E550354070162001B199D3ED
                                                                                                                                                                SHA-256:F0AE0360112FBF5C88F7593CD88149A82FA599D6B49548077A55465F59DC8166
                                                                                                                                                                SHA-512:82AC262503098AC7C5A967A734BC3337DBE065273D455B764D2F09DBC3EC79994DC050088EB6D89C94BAD88413451B6887B904F871AEBF4D327B477DE3307453
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.7.2.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEC2.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.486766807123678
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYT6Ym8M4J9NHFnUt/+q8vHNqTgJnMRd:uIjf8I78w7VezJ9IKHcTwMRd
                                                                                                                                                                MD5:DD01202FC103160C0D4041A1C8FF9716
                                                                                                                                                                SHA1:EB9655A86B936737F4CA75B4215C38DCD86658C3
                                                                                                                                                                SHA-256:64D15D5670CFBC6D259293D1BAB3214D6478C7F13511F1437387A4841D086553
                                                                                                                                                                SHA-512:8D5727512D03E28E4AE7F89B502C841CF19E22601FD9798D59E062B95CC25DFB3CD91294EE060B0F43EB32210C8984830F756C5F7460E0BD6AF0CB121950F070
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB141.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:53:03 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):99454
                                                                                                                                                                Entropy (8bit):2.3224369085069023
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:qjjGA78yLmBTvvPJT3ikbuXAeFpwKl+m4LAsKI+Tp+u7wQL3EY:wjGm7LmBTv35iZw4pwKl+mGKIY7zL
                                                                                                                                                                MD5:8C7C2DD411017BFF5AE28D37360EB678
                                                                                                                                                                SHA1:44730FF2240F7E88859F7CB4302BDE86DE8D3655
                                                                                                                                                                SHA-256:551A063D67F05B5F80485F959D3218C458384DA1CFA8DE5CF34FFAB4FDD37A8B
                                                                                                                                                                SHA-512:90309B883C8A9C0CC16555C3C87C189F3CCA0363A0CB347426B2246C02A2FF946D2C01A46547275D0009BF8264B32A1DD9B57B72E52B70E2AB702FA2C8F7093F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f........................D...........<...........$....>..........`.......8...........T...........P)...[......................................................................................................eJ..............GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1DD.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:53:03 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):85886
                                                                                                                                                                Entropy (8bit):2.263815192442
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:qJvxckLxlTvAwirf6S4L2GnH759lKdBAoRq1QqMCaF:CviSxlTvXiNtGnb59l+RqrMZ
                                                                                                                                                                MD5:07383D747120836AFB81312F96EC2F21
                                                                                                                                                                SHA1:B5CC2A635C77666F1661AD7D155B2CFE6DC6E38A
                                                                                                                                                                SHA-256:AB649C96FA136E40A5F7D7107BCE12A510C52613B81B4B9D598A32C9A5B67668
                                                                                                                                                                SHA-512:06240F6A4F03EAD4FBB8019694A6A33288642A01037EBD8A5CB92396E6DC2CD4009A9374B396176B680EB21DC0E392A89C8750E1560A6057599227F5282E92FB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f............T...............h.......<................<..........`.......8...........T............$...*..........T...........@...............................................................................eJ..............GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB21D.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6400
                                                                                                                                                                Entropy (8bit):3.724630785607503
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:RSIU6o7wVetbruk6lxx9Yv2n/FXk4FgaMOUt89btjRasfvPm:R6l7wVeJruk6bLYvGEpBt89btwsfvPm
                                                                                                                                                                MD5:24C571FAF91646736D652C004AFC08A3
                                                                                                                                                                SHA1:B25395505ED0130197FF1DC8085071B81463D2DE
                                                                                                                                                                SHA-256:536B5F42059FCB73726E82AE84BA85179FD69F4D3549E2F2E7247A4B9E0707B4
                                                                                                                                                                SHA-512:7C125BDC1308A26D990C3FA465B143A3BD2717A1044125C60DF53A0D7F12A2681B24B00E59D23CCD0C27A6EBE2B68DC007DF276A42E1B2D71CE16F4B9A9EDED6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.<./.P.i.d.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB25C.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.4836396373901275
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTOwYm8M4J9NHF03+q8vHNB5TgJnMad:uIjf8I78w7VeOdJ9s3KHv5TwMad
                                                                                                                                                                MD5:09E2AC2427CDA10E6E8148D73CB0CDC6
                                                                                                                                                                SHA1:C0593924952FA4E700E16F9DDCD48CA57A6B9C38
                                                                                                                                                                SHA-256:B233DDCC1098371B240F631A1F7031073EF4F1CB5C19D9F5F5493F7253705EFD
                                                                                                                                                                SHA-512:00E91AD5E641A2E2ECF95E6690FAC55FF562FE0A95E01EBC95F73238FFA278E20A1CC7F2C7FC2188038A286F2337642915EA8E9CAF9429BED938AC09F1DDAE94
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB365.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6406
                                                                                                                                                                Entropy (8bit):3.7252284072874993
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJ7ujg6QfYvGEpBQ89bt/sfx7Pm:R6lXJ0g6wYu+tkfxa
                                                                                                                                                                MD5:783C1B1D01BDCA2A0F2A0EF151C49209
                                                                                                                                                                SHA1:96E26C23CC75B4852F7CDA3F8AA6ACB8FFCF25C4
                                                                                                                                                                SHA-256:BD68C0C975621612CF92219097D41DEE42179387BF183DECC8A3DAFEEE76C296
                                                                                                                                                                SHA-512:E895DE8362943D9AC170AE8D2914FE931AC7A6C444C5CE0BD79626C4B7455B6B5E0BE17A13843C7B61BD8ECA73235F8A3A16DFCCD91126E3AEE711DCCE92995B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.7.2.<./.P.i.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB395.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.485565856210996
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTXYm8M4J9NHFK+q8vHNqTgJnMRd:uIjf8I78w7VeKJ9CKHcTwMRd
                                                                                                                                                                MD5:5D555A6F79215FE604211C79B677A82C
                                                                                                                                                                SHA1:C870B334154A993966E055D612F658CCB73511BF
                                                                                                                                                                SHA-256:1B99F76CAB26A203BC298C83AC71FA076C8042EEB675A7EB58CDCC84326E5F42
                                                                                                                                                                SHA-512:A473FC4A4A4396EA39D068075176385C4D127BD68003A11C0B7682528A18495A7AC97CA75BF153228EBADEBB34E78B7B2C8F45E18FA87EA44074A79120BC5980
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB577.tmp.dmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:53:04 2024, 0x1205a4 type
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):101496
                                                                                                                                                                Entropy (8bit):2.1847610690071084
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:ze0hO3wUcBTv+xqzb+aTCPYj2yFpwKl+m4LAEKZQeJFcM41g:zecO7cBTv+UWdP8FpwKl+m+KZPF34u
                                                                                                                                                                MD5:835F53318972E9F238B746F82DD20E4F
                                                                                                                                                                SHA1:A4306BDA15A9187F8C42804B4CB5FE4FFA908594
                                                                                                                                                                SHA-256:5972D9A74AE8CA16161EEC1834D196E6C0BBD6EF51CA7D325BC0B5E19EFF60FB
                                                                                                                                                                SHA-512:EA006EE4CBB40A14FA5BE5FED0E2E4C97BC28BC76CD9F161E416A3FCD86C35C011BA4376308C71CAE669244C436A597AC2EB589DEE6FE766DAC19A62B0B613EF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MDMP..a..... ........%f....................................<...x............B..........`.......8...........T............*...a......................................................................................................eJ......8 ......GenuineIntel............T............%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB662.tmp.WERInternalMetadata.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6402
                                                                                                                                                                Entropy (8bit):3.7246845422728114
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:R6l7wVeJruju6GzcYvGEpBM89bywsfWKmm:R6lXJEu6ZYuKyDfl
                                                                                                                                                                MD5:0219190D18C54B0737176AF588924C6E
                                                                                                                                                                SHA1:687D69E2698CECFF352F843649A9FE4FA3B0EA13
                                                                                                                                                                SHA-256:F5099FAF12164A09D07AA4149D30EF2F341D2787B2BF7DADA2C8E8D6D8BC7225
                                                                                                                                                                SHA-512:338B97DBC750655C716430250A11043ADFE68AD88F666F960E173E0B3AA1F1DD42817662AE44313B3A074FCED4B1825C419E63490B81C2F34BC8A840628B19A0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.<./.P.i.d.

                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6C1.tmp.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4712
                                                                                                                                                                Entropy (8bit):4.483530091193038
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:cvIwWl8zsmJg77aI9OhWpW8VYTeYm8M4J9NHF5a9+q8vHNB5TgJnMad:uIjf8I78w7VeXJ9YKHv5TwMad
                                                                                                                                                                MD5:02A62EB1D879FF10FE8BEF7AAFC5D8D8
                                                                                                                                                                SHA1:6D51C1692CB9BF256E44A8B02EC072C38B269DDB
                                                                                                                                                                SHA-256:3B8FA982163E18B95E2934B22719179E8399BEBFA035BAA2F54ABAB10B404084
                                                                                                                                                                SHA-512:B8AF99D469CF3EDDDACAA5C27C664E76AC4FE327155940EC2A7AFC13A74C5AAA07F390756644F31AF2F061A4B3C12F01DA0078B8C76E45C5973F96704B0C7524
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290335" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):997888
                                                                                                                                                                Entropy (8bit):7.765309926729777
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:opsnpECte4yQyGPLUXotoVeJVUXuJlt+ZPZzR4:opspbe3GPwZVeIeJlt+ZxzR
                                                                                                                                                                MD5:D668244429E4A7A0B205B2CE843B9663
                                                                                                                                                                SHA1:DD8AEE62F445DB5649840F9FFB8CB33D304254F3
                                                                                                                                                                SHA-256:EF09750219F549D293572AEDB0F593EF6C4A74AC77BB99950CA8B5A91377AB89
                                                                                                                                                                SHA-512:998A0CD29C6ED6B9D922E2A5706A0B9F661F4C9EC2D8F30EF942BBC69D42C8D30938297D81123C6F2B312F5F09E81E08BBC38B944A563E4D0B7B17BD28DB2438
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 37%
                                                                                                                                                                • Antivirus: Virustotal, Detection: 39%, Browse
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....|...|...|.......|.....z.|.....*.|.......|...}.v.|.4....|.......|.4....|.Rich..|.........PE..L...9..c.....................t......]@............@..........................p......C........................................j..P.......X...............................8....................`......h`..@............................................text............................... ..`.rdata..0t.......v..................@..@.data................`..............@....rsrc...X............J..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26
                                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zip

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):2902
                                                                                                                                                                Entropy (8bit):7.75013991512401
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:98afL8DZIeXWt/QLRGzkH4IMlhl/YX2gBMigpCPgM9n3KJ6Uk2OVJMw:B8D/XWtGRO2fMlbQX9CQY43KJWn
                                                                                                                                                                MD5:575531A71490D3CEBEB6B2ADD857E06D
                                                                                                                                                                SHA1:EC86722D1446095A5CFAD60EED64CD0A7A181EC2
                                                                                                                                                                SHA-256:592B03F0D792B295822D295DB6D6EBF59E83209259A494F997091C48533F499B
                                                                                                                                                                SHA-512:2ABA1ABF8B70CFDF21AB2B698AD3F064D3D14781F551B4E100EE2626B211F160A8AB8DF80B078EA57B510D3D17A218BE858D3A30D985288F9E5C2938B2EE20D7
                                                                                                                                                                Malicious:true
                                                                                                                                                                Yara Hits:
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zip, Author: Joe Security
                                                                                                                                                                Preview:PK...........X................Cookies\..PK...........X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK...........XO...............information.txt.Y[O.J.~..........a.3.3QB`.}p.N.p..v .j...............UU.}.M.dH.E.>.{..."....^..5......lJ.9.l....)..q.....:$.aR/L8.}.....`.'.....E./.....y...H.....4...c.......j......_.wq.p/@..5_..3..da.6\..P.0j.D.....w..<...e.Ww_M.P.......5...<.3..MQ>..i..8.l....G.G..Yo..2.=o.m.I....Q...I.<.?.{..{..n>....Y..`...rt...e.e...@}.'.S5$....dR..v....Q..lkS.?.5.?.*.!...9.~>.9..Kc.~.5.2.V.,z&SS.......$.u.G.....6.|0......E......u.....'G.<.MB...*)..../...d.*m......

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zip

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):2932
                                                                                                                                                                Entropy (8bit):7.7518906192798225
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:93a8lnPtLe849QnPmn9EwDwr/Ojdw6KX+QIBMH9LgB56IrKN/U3nn3KJ6nkFOhww:PhWQnPmn9EwD66aWMBgB5VrK52n3KJa
                                                                                                                                                                MD5:9F4E7D2CB39E0B6DF90AE6891E39F233
                                                                                                                                                                SHA1:D0CE4B30152990370A44D921D3E863CB37CE0AD1
                                                                                                                                                                SHA-256:649A61820E69031CC175392F5560232A922BFF1852E731450FABAB888AD7ED5C
                                                                                                                                                                SHA-512:E3E1FD7D6CBCD5D32EE72FBCCDD08A3F22ADBA1EE60A7FA720CD882C254B031AA5BA7443B2B39CACA54D2DAC617A3DE1A6D6C0C0DB10ADAFA852E6F470D6171A
                                                                                                                                                                Malicious:true
                                                                                                                                                                Yara Hits:
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zip, Author: Joe Security
                                                                                                                                                                Preview:PK...........X................Cookies\..PK...........X........$.......Cookies\Chrome_Default.txt....P...5.........`.L2J1l..\@.k.D..M'.t.k[Op...k...=..#T......?T...y..8.!(.h.>....o?.E.<.....EvWV.A....r,.4..|...u..<..4..T..w..1....._V..a..jZ....qcY..:.T.I.................l9.u..M.n.Q.W..Y3..".i...N.....;.n....t..].|-8|....W..v.....If&xA,}.`+5~.....Yx-..3..><9.]K.)..in.. .H=.@..FEH.a..<...0.j...t.J,=>6..z.k.x...N...f*.R.+.Y...~i.I..4.....p.Wm...5j.............*....tI..t.o..E....PK...........X..,.............information.txt.YmO.H...)........m..A..f&;Q ...j..`...@....+....G..RR]].T.S.m.t.f...*}..~..J.|H...{...6C2.rr......CN..\..Q|......I=7. .u4.>..y...JP..?O....g...#!b_H:.,....3.b.....^.........F{..............B....Q.s...C2..M.bYF+...'..&....lM.wS...sZZ.Y...E......n.V.QvwmV.L.........8..x...I.<..........M...wrRgQ^.....rt...E.e....}.'.S5$...Q....V...Q.ZojS.?...>.*.!...>.z>.>..J.y....:..:....TE.i.0..-.2......&Z.F..F...W.</.2yY.\g.2K.{r4...$.k./.buL>.r

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):13
                                                                                                                                                                Entropy (8bit):2.345851989338261
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:L/gc:zgc
                                                                                                                                                                MD5:77300B4E61394E6181367F5E3B73E081
                                                                                                                                                                SHA1:F3D906CF9099782C12B88248A91BED0FB00C56D3
                                                                                                                                                                SHA-256:5E91A4AB52806ED1F3E1B44FA5DADDF7327C608DBFD23D3DAE744943596CFC07
                                                                                                                                                                SHA-512:8B85B0389E6655AE7DEF5604B5B33ECDC70B02383E451BDE607C595EF277C7136718A4AE4AF75327E5E3E660CB8CB7BA5C7BD4E86CC72BA29294861A3836DBAF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:1713747473789

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\10Pc6utWIKvPCookies

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):0.8439810553697228
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\3aqhlGTkMf6CWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.136413900497188
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.03859996294213402
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\5ubzGmjuGMGiHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):155648
                                                                                                                                                                Entropy (8bit):0.5407252242845243
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\BvIYddkfIBauLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):51200
                                                                                                                                                                Entropy (8bit):0.8746135976761988
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.03859996294213402
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\GSrU6tJI5jqdCookies

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):0.6732424250451717
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\HiTDZbYl7tFjWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.136413900497188
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\KmAexCJkC4ggHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):155648
                                                                                                                                                                Entropy (8bit):0.5407252242845243
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\MRFQeKpv_Q9HLogin Data For Account

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\OQfY1gqQGgq8History

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.5394293526345721
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\V5xRcDusXlIgWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):196608
                                                                                                                                                                Entropy (8bit):1.121297215059106
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\cLPMQEK1PaWPHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.5394293526345721
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\oqeZ8c0GMjOkWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.136413900497188
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\u7JVJIshcVUFLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\u95tGpwZki_XWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):196608
                                                                                                                                                                Entropy (8bit):1.121297215059106
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\span6AEw0M_IhkGZ\vJBq_maU8UdXWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):196608
                                                                                                                                                                Entropy (8bit):1.121297215059106
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\22YOafS9AuarWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.136413900497188
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.03859996294213402
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\6XPTC_VuRvwAWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.136413900497188
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\9RXV5dQHO6wdWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):196608
                                                                                                                                                                Entropy (8bit):1.121297215059106
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\AZa26iW7YyBCHistory

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.5394293526345721
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\CmUnb0IC2w59History

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):155648
                                                                                                                                                                Entropy (8bit):0.5407252242845243
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                Entropy (8bit):0.03859996294213402
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\D_PqPMh3t76fLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\FsARZr9gVanTWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):196608
                                                                                                                                                                Entropy (8bit):1.121297215059106
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\MEClXgzFtw3WCookies

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):0.6732424250451717
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\NdZrHbm08IDPWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                Entropy (8bit):1.136413900497188
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\TMHi1BjWgM9QLogin Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):51200
                                                                                                                                                                Entropy (8bit):0.8746135976761988
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\dZAi4cbdogK5History

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):155648
                                                                                                                                                                Entropy (8bit):0.5407252242845243
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\e1b5ormmlkNOLogin Data For Account

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\ftgPJeedzDWiWeb Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):196608
                                                                                                                                                                Entropy (8bit):1.121297215059106
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\qdnEfTd8VGDBCookies

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):0.8439810553697228
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\spanpFpfdi9cVY05\wlp36kFa8_U7History

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                Entropy (8bit):0.5394293526345721
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\trixy6AEw0M_IhkGZ\Cookies\Chrome_Default.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1060
                                                                                                                                                                Entropy (8bit):5.999391385907715
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:KauS79Gr4iSllJALQZ73auS79Gr4iSllJALQZ7c:KauS7GAfJUu73auS7GAfJUu7c
                                                                                                                                                                MD5:C0ADF7485C183F86B6E5146BBCAD794B
                                                                                                                                                                SHA1:1F31AF65C794F1C146C90F710035734C2D309AE6
                                                                                                                                                                SHA-256:B9DE707D979A9939290146CBFD7769E6121A43BCCF04ED0731C6108F47577CE6
                                                                                                                                                                SHA-512:E23D818BC20E47A8183F4B6AA2CE79B72CFF805ACC6BAAFCB009F372FD8F498522340EEC54621A8A219A8DCE019308137774ABFC35AE15941869B85BA7FA8085
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpB

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\trixy6AEw0M_IhkGZ\information.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):7188
                                                                                                                                                                Entropy (8bit):5.516763288086174
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:xzglZRMlc2KBhA6tsxODsRw4Uxr5Z9aANUbg3x:x0qlX6tsxPHSr5ZlB
                                                                                                                                                                MD5:C916FB1D183F9818E27B012FEEDE6580
                                                                                                                                                                SHA1:3DD68460E2BA6CC36872146F40084031A42D96F8
                                                                                                                                                                SHA-256:255494528B436D0872FDAEEA223A8E9503EA88D148A2D09368D9780C2C216B11
                                                                                                                                                                SHA-512:A1529CD41A91F308B1A4BA08560202932A7CB0482E4A6CADF4A4E2C13FD787D1BC298102FEE089BD508DD95C2AF1FF4D4DFE834928463445EA3E7C72E38B0F51
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Build: mosik..Version: 1.9....Date: Mon Apr 22 01:53:20 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: b2021762f2b1eb6f19d126e2333b5b9a....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy6AEw0M_IhkGZ....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 965969 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 22/4/2024 1:53:20..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.exe [788

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\trixy6AEw0M_IhkGZ\passwords.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4897
                                                                                                                                                                Entropy (8bit):2.518316437186352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\trixypFpfdi9cVY05\Cookies\Chrome_Default.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):530
                                                                                                                                                                Entropy (8bit):5.999391385907715
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                                                                                                                                                MD5:06ED2CD304730F55A5C7001509E128BE
                                                                                                                                                                SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                                                                                                                                                SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                                                                                                                                                SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\trixypFpfdi9cVY05\information.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):7146
                                                                                                                                                                Entropy (8bit):5.514185322325561
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:xzmJqpZRM4Wc2KBhA6tsxODsRw4Uxr5Z9+fANUbg3x:xVvqDX6tsxPHSr5Z5B
                                                                                                                                                                MD5:FAD3B2EEA7129F04A469AFCB1B589099
                                                                                                                                                                SHA1:1B9853052992F84C9772B2BB3FC3D39E5F485CDE
                                                                                                                                                                SHA-256:207227A93D0B1E8D1B35938E53AE68C7F90C3BF0D4215A246E76E3DD0C089CF6
                                                                                                                                                                SHA-512:BCCBD99C0D29A990268B6BFD020CBBAA4443341BC6A2F626165427225DC4B43C8424791EC99CD83A764E8CE7417DC681A87FBD290EFB06AF519AFDBC5FECCC35
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Build: mosik..Version: 1.9....Date: Mon Apr 22 01:53:13 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: b2021762f2b1eb6f19d126e2333b5b9a....Path: C:\Users\user\Desktop\ygm2mXUReY.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixypFpfdi9cVY05....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 965969 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 22/4/2024 1:53:13..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.exe [7

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\trixypFpfdi9cVY05\passwords.txt

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4897
                                                                                                                                                                Entropy (8bit):2.518316437186352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1835008
                                                                                                                                                                Entropy (8bit):4.424438597755887
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6144:zSvfpi6ceLP/9skLmb0OTBWSPHaJG8nAgeMZMMhA2fX4WABlEnNz0uhiTwD:+vloTBW+EZMM6DFyF03wD
                                                                                                                                                                MD5:91A322FB5AB4CF677840EA6E8B611539
                                                                                                                                                                SHA1:5DE88E448A3D241A3E33A86E29AD2107D7756E53
                                                                                                                                                                SHA-256:31CC57E671D11DEC85A8A96ED6C37B0B52C21B6500B444AE7D6878F6197E089F
                                                                                                                                                                SHA-512:07BA50B2B33E396FF89A8A88FD44147D732E24E01A93C4B2F35BA96C4B458B0165FFB2F446FAEEA7658601252CACF1B29232DEE68133235ABC30F1FD51908AC4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm67..G................................................................................................................................................................................................................................................................................................................................................i.2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Entropy (8bit):7.765309926729777
                                                                                                                                                                TrID:
                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                File name:ygm2mXUReY.exe
                                                                                                                                                                File size:997'888 bytes
                                                                                                                                                                MD5:d668244429e4a7a0b205b2ce843b9663
                                                                                                                                                                SHA1:dd8aee62f445db5649840f9ffb8cb33d304254f3
                                                                                                                                                                SHA256:ef09750219f549d293572aedb0f593ef6c4a74ac77bb99950ca8b5a91377ab89
                                                                                                                                                                SHA512:998a0cd29c6ed6b9d922e2a5706a0b9f661f4c9ec2d8f30ef942bbc69d42c8d30938297d81123c6f2b312f5f09e81e08bbc38b944a563e4d0b7b17bd28db2438
                                                                                                                                                                SSDEEP:24576:opsnpECte4yQyGPLUXotoVeJVUXuJlt+ZPZzR4:opspbe3GPwZVeIeJlt+ZxzR
                                                                                                                                                                TLSH:03251312B6C59437F6B787308C744A51063AFDB26931891F6788F62E2EFB1E01A51F63
                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....|...|...|.......|.....z.|.....*.|.......|...}.v.|..4....|.......|..4....|.Rich..|.........PE..L...9..c...................

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:cd0d3d2e4e054d05

                                                                                                                                                                Static PE Info

                                                                                                                                                                General

                                                                                                                                                                Entrypoint:0x40405d
                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                Digitally signed:false
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                Time Stamp:0x63FBEA39 [Sun Feb 26 23:24:41 2023 UTC]
                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                OS Version Major:5
                                                                                                                                                                OS Version Minor:1
                                                                                                                                                                File Version Major:5
                                                                                                                                                                File Version Minor:1
                                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                                Subsystem Version Minor:1
                                                                                                                                                                Import Hash:43cb5d6ab6c623f5883f711e054621c1

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                call 00007FE3B48F56D8h
                                                                                                                                                                jmp 00007FE3B48EFAA5h
                                                                                                                                                                push 00000014h
                                                                                                                                                                push 004166C8h
                                                                                                                                                                call 00007FE3B48F2C22h
                                                                                                                                                                call 00007FE3B48F47E3h
                                                                                                                                                                movzx esi, ax
                                                                                                                                                                push 00000002h
                                                                                                                                                                call 00007FE3B48F566Bh
                                                                                                                                                                pop ecx
                                                                                                                                                                mov eax, 00005A4Dh
                                                                                                                                                                cmp word ptr [00400000h], ax
                                                                                                                                                                je 00007FE3B48EFAA6h
                                                                                                                                                                xor ebx, ebx
                                                                                                                                                                jmp 00007FE3B48EFAD5h
                                                                                                                                                                mov eax, dword ptr [0040003Ch]
                                                                                                                                                                cmp dword ptr [eax+00400000h], 00004550h
                                                                                                                                                                jne 00007FE3B48EFA8Dh
                                                                                                                                                                mov ecx, 0000010Bh
                                                                                                                                                                cmp word ptr [eax+00400018h], cx
                                                                                                                                                                jne 00007FE3B48EFA7Fh
                                                                                                                                                                xor ebx, ebx
                                                                                                                                                                cmp dword ptr [eax+00400074h], 0Eh
                                                                                                                                                                jbe 00007FE3B48EFAABh
                                                                                                                                                                cmp dword ptr [eax+004000E8h], ebx
                                                                                                                                                                setne bl
                                                                                                                                                                mov dword ptr [ebp-1Ch], ebx
                                                                                                                                                                call 00007FE3B48F2A98h
                                                                                                                                                                test eax, eax
                                                                                                                                                                jne 00007FE3B48EFAAAh
                                                                                                                                                                push 0000001Ch
                                                                                                                                                                call 00007FE3B48EFB81h
                                                                                                                                                                pop ecx
                                                                                                                                                                call 00007FE3B48F2179h
                                                                                                                                                                test eax, eax
                                                                                                                                                                jne 00007FE3B48EFAAAh
                                                                                                                                                                push 00000010h
                                                                                                                                                                call 00007FE3B48EFB70h
                                                                                                                                                                pop ecx
                                                                                                                                                                call 00007FE3B48F452Ch
                                                                                                                                                                and dword ptr [ebp-04h], 00000000h
                                                                                                                                                                call 00007FE3B48F3B85h
                                                                                                                                                                test eax, eax
                                                                                                                                                                jns 00007FE3B48EFAAAh
                                                                                                                                                                push 0000001Bh
                                                                                                                                                                call 00007FE3B48EFB56h
                                                                                                                                                                pop ecx
                                                                                                                                                                call dword ptr [004100C8h]
                                                                                                                                                                mov dword ptr [040D796Ch], eax
                                                                                                                                                                call 00007FE3B48F56BFh
                                                                                                                                                                mov dword ptr [004E6920h], eax
                                                                                                                                                                call 00007FE3B48F52BCh
                                                                                                                                                                test eax, eax
                                                                                                                                                                jns 00007FE3B48EFAAAh

                                                                                                                                                                Rich Headers

                                                                                                                                                                Programming Language:
                                                                                                                                                                • [ASM] VS2013 build 21005
                                                                                                                                                                • [ C ] VS2013 build 21005
                                                                                                                                                                • [C++] VS2013 build 21005
                                                                                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                • [RES] VS2013 build 21005
                                                                                                                                                                • [LNK] VS2013 UPD5 build 40629

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x16afc0x50.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3cd80000xee58.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x102000x38.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x160b00x18.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x160680x40.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x100000x190.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x10000xe4030xe6007b31db8089c16557734f35bf632d4c74False0.6020380434782608data6.68670617044423IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rdata0x100000x74300x760085297e859433e8e12aa647e32015e4a3False0.3898305084745763data4.888708079319744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .data0x180000x3cbf9840xcea00e92ec5ec1663fcfac16166a2b8f430a6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .rsrc0x3cd80000xee580xf0005312b41c27b3bb1efed2d6246a08c490False0.47900390625data5.216986397030211IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                RT_ICON0x3cd85700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRomanianRomania0.4869402985074627
                                                                                                                                                                RT_ICON0x3cd94180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRomanianRomania0.5997292418772563
                                                                                                                                                                RT_ICON0x3cd9cc00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsRomanianRomania0.6532258064516129
                                                                                                                                                                RT_ICON0x3cda3880x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRomanianRomania0.6560693641618497
                                                                                                                                                                RT_ICON0x3cda8f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RomanianRomania0.3912863070539419
                                                                                                                                                                RT_ICON0x3cdce980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096RomanianRomania0.5086772983114447
                                                                                                                                                                RT_ICON0x3cddf400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304RomanianRomania0.5860655737704918
                                                                                                                                                                RT_ICON0x3cde8c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024RomanianRomania0.6773049645390071
                                                                                                                                                                RT_ICON0x3cdeda80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.4139125799573561
                                                                                                                                                                RT_ICON0x3cdfc500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.4598375451263538
                                                                                                                                                                RT_ICON0x3ce04f80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.554147465437788
                                                                                                                                                                RT_ICON0x3ce0bc00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.44942196531791906
                                                                                                                                                                RT_ICON0x3ce11280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.46307053941908716
                                                                                                                                                                RT_ICON0x3ce36d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.4793621013133208
                                                                                                                                                                RT_ICON0x3ce47780x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.494672131147541
                                                                                                                                                                RT_ICON0x3ce51000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.5540780141843972
                                                                                                                                                                RT_DIALOG0x3ce57c80x52data0.8780487804878049
                                                                                                                                                                RT_STRING0x3ce58200x322dataRomanianRomania0.47256857855361595
                                                                                                                                                                RT_STRING0x3ce5b480x5a8dataRomanianRomania0.43577348066298344
                                                                                                                                                                RT_STRING0x3ce60f00x1e4dataRomanianRomania0.4772727272727273
                                                                                                                                                                RT_STRING0x3ce62d80x322dataRomanianRomania0.47381546134663344
                                                                                                                                                                RT_STRING0x3ce66000x698dataRomanianRomania0.4259478672985782
                                                                                                                                                                RT_STRING0x3ce6c980x1badataRomanianRomania0.5135746606334841
                                                                                                                                                                RT_GROUP_ICON0x3cded300x76dataRomanianRomania0.6610169491525424
                                                                                                                                                                RT_GROUP_ICON0x3ce55680x76dataRomanianRomania0.6694915254237288
                                                                                                                                                                RT_VERSION0x3ce55e00x1e4data0.5371900826446281

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                KERNEL32.dllLocalCompact, GetUserDefaultLCID, AddConsoleAliasW, CreateHardLinkA, GetTickCount, EnumTimeFormatsW, GetUserDefaultLangID, FindResourceExA, GetVolumeInformationA, GetLocaleInfoW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, SetLastError, GetProcAddress, CreateTimerQueueTimer, FindFirstChangeNotificationW, BuildCommDCBW, LoadLibraryA, WriteConsoleA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, RemoveDirectoryW, AddAtomA, SetNamedPipeHandleState, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, ReadConsoleInputW, GetWindowsDirectoryW, AddConsoleAliasA, SetFileAttributesA, GetComputerNameA, WriteConsoleW, OutputDebugStringW, GetLastError, HeapFree, EncodePointer, DecodePointer, ReadFile, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, IsDebuggerPresent, HeapAlloc, GetProcessHeap, HeapSize, EnterCriticalSection, LeaveCriticalSection, SetFilePointerEx, GetConsoleMode, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, WriteFile, GetModuleFileNameW, LoadLibraryExW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, HeapReAlloc, LCMapStringW, SetStdHandle, GetConsoleCP, FlushFileBuffers, CreateFileW
                                                                                                                                                                ADVAPI32.dllDeregisterEventSource
                                                                                                                                                                WINHTTP.dllWinHttpConnect

                                                                                                                                                                Possible Origin

                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                RomanianRomania

                                                                                                                                                                Network Behavior

                                                                                                                                                                Snort IDS Alerts

                                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                04/22/24-01:53:01.193897TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949708147.45.47.93192.168.2.5
                                                                                                                                                                04/22/24-01:53:38.322767TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970858709192.168.2.5147.45.47.93
                                                                                                                                                                04/22/24-01:53:37.276261TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970658709192.168.2.5147.45.47.93
                                                                                                                                                                04/22/24-01:53:24.660719TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949723147.45.47.93192.168.2.5
                                                                                                                                                                04/22/24-01:53:00.837713TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949706147.45.47.93192.168.2.5
                                                                                                                                                                04/22/24-01:53:24.890079TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949723147.45.47.93192.168.2.5
                                                                                                                                                                04/22/24-01:53:54.436720TCP2046270ET TROJAN [ANY.RUN] RisePro TCP (Exfiltration)4972358709192.168.2.5147.45.47.93
                                                                                                                                                                04/22/24-01:52:56.197489TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4970558709192.168.2.5147.45.47.93
                                                                                                                                                                04/22/24-01:53:54.436720TCP2049661ET TROJAN RisePro CnC Activity (Inbound)4972358709192.168.2.5147.45.47.93
                                                                                                                                                                04/22/24-01:53:29.479123TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4972358709192.168.2.5147.45.47.93
                                                                                                                                                                04/22/24-01:52:56.636815TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949705147.45.47.93192.168.2.5
                                                                                                                                                                04/22/24-01:52:56.389699TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949705147.45.47.93192.168.2.5
                                                                                                                                                                04/22/24-01:53:47.973422TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4971558709192.168.2.5147.45.47.93
                                                                                                                                                                04/22/24-01:53:01.078051TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949706147.45.47.93192.168.2.5
                                                                                                                                                                04/22/24-01:53:00.350421TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970558709192.168.2.5147.45.47.93
                                                                                                                                                                04/22/24-01:53:12.584543TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949715147.45.47.93192.168.2.5

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Apr 22, 2024 01:52:55.949357986 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:52:56.168751955 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:52:56.168991089 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:52:56.197489023 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:52:56.389698982 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:52:56.417090893 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:52:56.417290926 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:52:56.510426998 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:52:56.636815071 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:52:56.682198048 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:52:56.769901991 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.350420952 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.393048048 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.528920889 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:00.528992891 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.529076099 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:00.536945105 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:00.536981106 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.584043026 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.615375996 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.615488052 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.633690119 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.635171890 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.754863024 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.758932114 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.759000063 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:00.763166904 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:00.763190031 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.763545990 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.807055950 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:00.837713003 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.855674982 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.855834961 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.963651896 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.974334955 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:00.974437952 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:00.987601042 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:01.078051090 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:01.193897009 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:01.210150003 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:01.238528967 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:01.254523993 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:01.275918961 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:01.495318890 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:01.588387966 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:01.620204926 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:01.895342112 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.336210012 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:03.384208918 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.470485926 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.470602036 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.470803022 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:03.473037958 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:03.473038912 CEST49707443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:03.473100901 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.473135948 CEST4434970734.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.605602026 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:03.605681896 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.605786085 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:03.606260061 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:03.606302023 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.830745935 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.831027031 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:03.834363937 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:03.834414959 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.834683895 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.836033106 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:03.876151085 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:04.176630974 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:04.176723957 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:04.176795006 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:04.178607941 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:04.178608894 CEST49709443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:04.178656101 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:04.178685904 CEST44349709172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:04.179383993 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:04.213398933 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:04.426990032 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:04.442778111 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:04.494581938 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:04.510330915 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:04.743664026 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:04.791425943 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:04.838454008 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.073441029 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073503017 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073543072 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073581934 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073616982 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.073622942 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073657990 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.073661089 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073699951 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.073699951 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073739052 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073776007 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073817015 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.073929071 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.073929071 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.293076992 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.293140888 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.293180943 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.293194056 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.293220043 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.293263912 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.293266058 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.385308981 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.385308981 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.419564009 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.617497921 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.646121025 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:05.713845968 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.791490078 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:05.947765112 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:06.088311911 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:06.186688900 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:06.186733007 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:06.186789989 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:06.188057899 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:06.188070059 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:06.253062963 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:06.253099918 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:06.253173113 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:06.402733088 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:06.402812958 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:06.403932095 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:06.403943062 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:06.404156923 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:06.494554043 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:07.490751982 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:07.490787029 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:07.711576939 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:07.711662054 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:08.866038084 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:08.866067886 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:08.867064953 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:08.988409996 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.382972002 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.424160004 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.516634941 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.516921043 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.516997099 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.517201900 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.517225981 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.517241001 CEST49710443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.517247915 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.534461975 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.534549952 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.534646988 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.534938097 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.534971952 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.759715080 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.759840965 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.761585951 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.761619091 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.761957884 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.763649940 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.794217110 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.804121971 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.840111971 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.928968906 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.929318905 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.929394960 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.929564953 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.929584980 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.929600000 CEST49711443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:09.929605007 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.993729115 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.993813038 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:09.993941069 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.998043060 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:09.998116016 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.086098909 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.086390018 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.086467981 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:10.222889900 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.222995043 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:10.249080896 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:10.249150991 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.250030994 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.251669884 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:10.292150021 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.584223986 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.584465027 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.584556103 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:10.585751057 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:10.585796118 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.585829020 CEST49713443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:10.585844994 CEST44349713172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.586162090 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:10.838393927 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:10.921380997 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.148922920 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.244930029 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.425501108 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:11.425575018 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.425614119 CEST49712443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:11.425632000 CEST44349712172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.426095009 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.480559111 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480581045 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480597973 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480617046 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480635881 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480653048 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480657101 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.480716944 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.480719090 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480739117 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480756044 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480773926 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.480807066 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.480840921 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.689713955 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.702575922 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.702600002 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.702617884 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.702640057 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.702658892 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:11.702826023 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.770591021 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:11.801337004 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.008755922 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.039798021 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.088309050 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.103986025 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.104563951 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.135521889 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.146724939 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.341346025 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341377974 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341397047 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341415882 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341434002 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341438055 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.341454029 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341464043 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.341473103 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341492891 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341510057 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341512918 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.341531038 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.341537952 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.341592073 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.365549088 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.365672112 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.367867947 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.372193098 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.560751915 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.560781956 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.560801029 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.560820103 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.560841084 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.560857058 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.560930967 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.584542990 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.603943110 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.644711971 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.651124954 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.774151087 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.884119987 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:12.979393959 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:12.992774010 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:13.103986979 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:13.104165077 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:13.211968899 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:13.275820971 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:13.363368034 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:17.213411093 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:17.443059921 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:17.510173082 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:19.148138046 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:19.148189068 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:19.148264885 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:19.149502039 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:19.149519920 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:19.365986109 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:19.366051912 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:19.367865086 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:19.367875099 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:19.368218899 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:19.421308994 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:20.647766113 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:20.688119888 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:20.783639908 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:20.783744097 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:20.785027027 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:20.785109043 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:20.785135031 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:20.785186052 CEST49721443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:20.785197020 CEST4434972134.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:20.800515890 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:20.800594091 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:20.800719023 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:20.800973892 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:20.801026106 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.016460896 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.016617060 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:21.017887115 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:21.017910004 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.018173933 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.019583941 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:21.060121059 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.217190027 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:21.337680101 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.337892056 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.337970972 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:21.338100910 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:21.338100910 CEST49722443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:21.338145971 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.338172913 CEST44349722172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.338614941 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:21.594286919 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.666857004 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:21.898823977 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:21.994556904 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:21.994748116 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.229648113 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.229696035 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.229783058 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.229783058 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.229821920 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.229876041 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.229912996 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.229923964 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.229952097 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.229989052 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.229995966 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.230026960 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.230026960 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.230084896 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.230379105 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.275835991 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.448771954 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.448792934 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.448817968 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.448834896 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.448839903 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.448854923 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.448889971 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.541624069 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:22.777888060 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:22.885441065 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:23.118058920 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:23.197688103 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:24.275974989 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:24.441729069 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:24.441831112 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:24.450165033 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:24.660718918 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:24.668859005 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:24.670758009 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:24.871459007 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:24.890079021 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:25.103986025 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:25.145138979 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:26.410870075 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:26.479141951 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:26.897089958 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:27.160408020 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:29.454648972 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:29.454722881 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:29.479123116 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:29.674038887 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:29.674190044 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:29.721199989 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:29.775831938 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:29.941664934 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:30.864188910 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:30.994561911 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:31.031156063 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:31.270510912 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:31.301067114 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:31.478940010 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:31.681260109 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:31.941643953 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:32.588352919 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:32.807459116 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:32.816581011 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:32.816647053 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:32.989820957 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:32.989867926 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:32.989933014 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:32.990664959 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:32.990681887 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:33.209053040 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:33.209197044 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:33.213619947 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:33.213637114 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:33.213983059 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:33.307056904 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:34.350585938 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:34.396148920 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:34.494736910 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:34.494848967 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:34.494959116 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:34.495398045 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:34.495440006 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:34.495466948 CEST49724443192.168.2.534.117.186.192
                                                                                                                                                                Apr 22, 2024 01:53:34.495481968 CEST4434972434.117.186.192192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:34.502047062 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:34.502098083 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:34.502156973 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:34.502449989 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:34.502475023 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:34.727164030 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:34.727246046 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:35.389342070 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:35.389390945 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.389823914 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.391282082 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:35.432153940 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.578933001 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:35.578989029 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:35.607774973 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.607882023 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.607949972 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:35.608159065 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:35.608159065 CEST49725443192.168.2.5172.67.75.166
                                                                                                                                                                Apr 22, 2024 01:53:35.608202934 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.608227968 CEST44349725172.67.75.166192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.608563900 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:35.801155090 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.801222086 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:35.861342907 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:35.861500978 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:35.879348993 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.887064934 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:35.934926987 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:36.077775002 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.080841064 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.080869913 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.080912113 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:36.167134047 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.260396004 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:36.348381996 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.495934010 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.495965004 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.495984077 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.496005058 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.496064901 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:36.715121031 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.715183973 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.715224028 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.715259075 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:36.715264082 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.715303898 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.715320110 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:36.715343952 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.715380907 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.715404034 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:36.715421915 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.715589046 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:36.934369087 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.934462070 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.934504032 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:36.934633017 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:37.025897980 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:37.259449959 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:37.276261091 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:37.353980064 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:37.505574942 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:37.586787939 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:37.591748953 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:37.775892019 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:38.322767019 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:38.552416086 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:38.666568995 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:38.775814056 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:38.894465923 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:38.897567987 CEST5870949706147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:38.897648096 CEST4970658709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:39.010246992 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:39.229749918 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:39.238637924 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:39.238729000 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:42.656821012 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:42.807081938 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:44.375036955 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:44.658862114 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:47.973422050 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:48.208590984 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:48.400810003 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:48.685653925 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:48.685713053 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:48.905706882 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:48.905769110 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:48.905808926 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:49.175988913 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:51.697757959 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:51.917109966 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:51.927100897 CEST5870949715147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:51.927191019 CEST4971558709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:54.436634064 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:54.436719894 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:54.655891895 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:54.655993938 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:54.785797119 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:54.875245094 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:54.875339985 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:55.145371914 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:57.449542999 CEST4972358709192.168.2.5147.45.47.93
                                                                                                                                                                Apr 22, 2024 01:53:57.668229103 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:54:07.285542011 CEST5870949723147.45.47.93192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:54:07.285654068 CEST4972358709192.168.2.5147.45.47.93

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Apr 22, 2024 01:53:00.383691072 CEST6270953192.168.2.51.1.1.1
                                                                                                                                                                Apr 22, 2024 01:53:00.489476919 CEST53627091.1.1.1192.168.2.5
                                                                                                                                                                Apr 22, 2024 01:53:03.496237040 CEST5931153192.168.2.51.1.1.1
                                                                                                                                                                Apr 22, 2024 01:53:03.603782892 CEST53593111.1.1.1192.168.2.5

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                Apr 22, 2024 01:53:00.383691072 CEST192.168.2.51.1.1.10x1258Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                                                                Apr 22, 2024 01:53:03.496237040 CEST192.168.2.51.1.1.10xf88fStandard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                Apr 22, 2024 01:53:00.489476919 CEST1.1.1.1192.168.2.50x1258No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                                                                Apr 22, 2024 01:53:03.603782892 CEST1.1.1.1192.168.2.50xf88fNo error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                                                                                                                                Apr 22, 2024 01:53:03.603782892 CEST1.1.1.1192.168.2.50xf88fNo error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                                                                                                                                Apr 22, 2024 01:53:03.603782892 CEST1.1.1.1192.168.2.50xf88fNo error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • https:
                                                                                                                                                                  • ipinfo.io
                                                                                                                                                                • db-ip.com

                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                0192.168.2.54970734.117.186.1924435504C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:03 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-21 23:53:03 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sun, 21 Apr 2024 23:53:03 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-21 23:53:03 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-21 23:53:03 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                1192.168.2.549709172.67.75.1664435504C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:03 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-21 23:53:04 UTC660INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 21 Apr 2024 23:53:04 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: AC471F6F:434C_93878F2E:0050_6625A6E0_938E887:4F34
                                                                                                                                                                x-iplb-instance: 59215
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XX5aLPBiVQy%2BtINBy97%2BZe4BqF7gqb4rrVZNV1GrP%2FvzHWHHyAcmLRSNUpbT6l%2Bme8vpdERX%2FyDvySEQ0Bi5rgjzn5HOx4vBbZl9RG8n2n9DX9FTMH%2ByH67EzQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 87814a98298aade7-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-21 23:53:04 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-21 23:53:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                2192.168.2.54971034.117.186.1924431672C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:09 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-21 23:53:09 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sun, 21 Apr 2024 23:53:09 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-21 23:53:09 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-21 23:53:09 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                3192.168.2.549712172.67.75.1664431672C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:09 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-21 23:53:10 UTC656INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 21 Apr 2024 23:53:10 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: AC454759:4A04_93878F2E:0050_6625A6E6_938E90B:4F34
                                                                                                                                                                x-iplb-instance: 59215
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sGr6Mj6CB147ELrFjCYnPJYfTjr3Zly%2BAoGLC3%2FeCAnYX%2BaOqAd%2FPLPaGTJBOgCC7WDowH6d8vEosLTuZrY2K7WMPybyFspqXblPtWBbYgGwaruexuDokgbwBw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 87814abd397f44f1-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-21 23:53:10 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-21 23:53:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                4192.168.2.54971134.117.186.192443736C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:09 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-21 23:53:09 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sun, 21 Apr 2024 23:53:09 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-21 23:53:09 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-21 23:53:09 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                5192.168.2.549713172.67.75.166443736C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:10 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-21 23:53:10 UTC652INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 21 Apr 2024 23:53:10 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: 6CA2EE8B:A8BE_93878F2E:0050_6625A6E6_93647FF:7B63
                                                                                                                                                                x-iplb-instance: 59128
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=361ZuXxSEt5CUilZpEPQP8b4wCMFOyvTvUFNLPko%2F8cpiQDgNs%2BKpiNZ3BtosOYA825yYT1TO9w6RXSewcrRP6GuWjGx9QSb52pBe8YHx5W2bbQi34Vmus2QkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 87814ac01ee9138f-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-21 23:53:10 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-21 23:53:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                6192.168.2.54972134.117.186.192443
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:20 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-21 23:53:20 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sun, 21 Apr 2024 23:53:20 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 4
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-21 23:53:20 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-21 23:53:20 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                7192.168.2.549722172.67.75.166443
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:21 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-21 23:53:21 UTC656INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 21 Apr 2024 23:53:21 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: 6CA2EDAD:3916_93878F2E:0050_6625A6F1_938E9F6:4F34
                                                                                                                                                                x-iplb-instance: 59215
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P9bA4ZQ45DqHMyngyLugE4xs5jInA%2BbM7MDaT%2BUkGfboufSNCV2ISF5PAzzztm9ZOko0Ux1koMTDMUuuFV3XYLMOygwdYKe6Bxacom3wBpUz5G%2BFECBhh%2FekFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 87814b039d8b8bb6-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-21 23:53:21 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-21 23:53:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                8192.168.2.54972434.117.186.192443
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:34 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                2024-04-21 23:53:34 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                server: nginx/1.24.0
                                                                                                                                                                date: Sun, 21 Apr 2024 23:53:34 GMT
                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                Content-Length: 980
                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                via: 1.1 google
                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2024-04-21 23:53:34 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                2024-04-21 23:53:34 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                9192.168.2.549725172.67.75.166443
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2024-04-21 23:53:35 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                                                Host: db-ip.com
                                                                                                                                                                2024-04-21 23:53:35 UTC656INHTTP/1.1 200 OK
                                                                                                                                                                Date: Sun, 21 Apr 2024 23:53:35 GMT
                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                x-iplb-request-id: 6CA2EE3E:9878_93878F2E:0050_6625A6FF_93649FF:7B63
                                                                                                                                                                x-iplb-instance: 59128
                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XoX9TS4TNyJm9YmwaNg6ru2Tyzj4qvvSZ1RoIaTqlv6Ci%2B0sMRIYtaorHKBxm39EWRxGyn%2Fyb4Ls3yPbvGOqURM5tIk%2BBh028NOLcOuebUWp8Zp%2BWjxDC7FxQg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 87814b5c8f5c1399-ATL
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2024-04-21 23:53:35 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                2024-04-21 23:53:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Statistics

                                                                                                                                                                CPU Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Memory Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                General

                                                                                                                                                                Target ID:0
                                                                                                                                                                Start time:01:52:50
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Users\user\Desktop\ygm2mXUReY.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Users\user\Desktop\ygm2mXUReY.exe"
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:997'888 bytes
                                                                                                                                                                MD5 hash:D668244429E4A7A0B205B2CE843B9663
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:2
                                                                                                                                                                Start time:01:52:52
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                Imagebase:0x640000
                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:3
                                                                                                                                                                Start time:01:52:52
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:4
                                                                                                                                                                Start time:01:52:53
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                Imagebase:0x640000
                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:5
                                                                                                                                                                Start time:01:52:53
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:8
                                                                                                                                                                Start time:01:52:53
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 796
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:9
                                                                                                                                                                Start time:01:52:53
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:997'888 bytes
                                                                                                                                                                MD5 hash:D668244429E4A7A0B205B2CE843B9663
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                • Detection: 37%, ReversingLabs
                                                                                                                                                                • Detection: 39%, Virustotal, Browse
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:10
                                                                                                                                                                Start time:01:52:54
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:997'888 bytes
                                                                                                                                                                MD5 hash:D668244429E4A7A0B205B2CE843B9663
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:12
                                                                                                                                                                Start time:01:52:55
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 952
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:14
                                                                                                                                                                Start time:01:52:56
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 984
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:16
                                                                                                                                                                Start time:01:52:57
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 992
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:18
                                                                                                                                                                Start time:01:52:57
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1056
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:21
                                                                                                                                                                Start time:01:52:58
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 800
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:22
                                                                                                                                                                Start time:01:52:58
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 772
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:24
                                                                                                                                                                Start time:01:52:59
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1380
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:26
                                                                                                                                                                Start time:01:53:00
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 896
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:29
                                                                                                                                                                Start time:01:53:00
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1388
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:30
                                                                                                                                                                Start time:01:53:00
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 912
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:32
                                                                                                                                                                Start time:01:53:01
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 900
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:34
                                                                                                                                                                Start time:01:53:02
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 916
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:37
                                                                                                                                                                Start time:01:53:03
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 912
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:38
                                                                                                                                                                Start time:01:53:03
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 948
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:40
                                                                                                                                                                Start time:01:53:04
                                                                                                                                                                Start date:22/04/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1100
                                                                                                                                                                Imagebase:0x60000
                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                Disassembly

                                                                                                                                                                Reset < >

                                                                                                                                                                  Execution Graph

                                                                                                                                                                  Execution Coverage:35.1%
                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                  Signature Coverage:42%
                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                  Total number of Limit Nodes:160
                                                                                                                                                                  execution_graph 19796 507a50 19797 507a7c 19796->19797 19800 549860 19797->19800 19799 507a9e 19803 549883 19800->19803 19801 549a20 19801->19799 19802 5499f7 19833 5561f0 19802->19833 19803->19801 19803->19802 19812 54c130 19803->19812 19807 5561f0 2 API calls 19808 549a0d 19807->19808 19808->19799 19810 5498e3 19810->19802 19811 5499ca 19810->19811 19827 54c8d0 19810->19827 19811->19799 19817 54c164 19812->19817 19813 54c1f4 19814 54c460 19813->19814 19819 54c222 19813->19819 19815 5561f0 2 API calls 19814->19815 19816 54c466 19815->19816 19816->19810 19817->19813 19817->19816 19817->19817 19818 54c1dd 19817->19818 19820 5561f0 2 API calls 19818->19820 19823 54c2bf 19819->19823 19824 5561f0 2 API calls 19819->19824 19821 54c1e8 19820->19821 19821->19810 19822 5561f0 2 API calls 19825 54c454 19822->19825 19823->19822 19826 54c36c 19823->19826 19824->19823 19825->19810 19826->19810 19829 54c8dc 19827->19829 19837 54fc90 19829->19837 19831 5561f0 2 API calls 19832 54c974 19831->19832 19832->19802 19834 5561fb 19833->19834 19835 549a04 19833->19835 19834->19835 19841 43c526 19834->19841 19835->19807 19838 54fc9c 19837->19838 19839 5561f0 2 API calls 19838->19839 19840 54c956 19838->19840 19839->19840 19840->19831 19844 4458aa 19841->19844 19843 43c53e 19843->19835 19845 4458b5 RtlFreeHeap 19844->19845 19847 4458d7 19844->19847 19846 4458ca GetLastError 19845->19846 19845->19847 19846->19847 19847->19843 19848 423240 19849 423249 19848->19849 19850 42328c 19848->19850 19849->19850 19851 423263 19849->19851 19853 42df02 ___std_exception_copy 19849->19853 19850->19850 19852 42326c 19851->19852 19856 42df02 19851->19856 19853->19851 19855 423285 19858 403070 Concurrency::cancel_current_task 19856->19858 19857 42df21 19857->19855 19858->19857 19859 40308c ___std_exception_copy 19858->19859 19859->19855 19860 422441 19875 425830 19860->19875 19862 422013 19863 422604 19862->19863 19867 42254b 19862->19867 19873 422783 19862->19873 19863->19873 19896 415c20 19863->19896 19865 42262a 19866 422c32 19865->19866 19870 422641 19865->19870 19868 4036f0 2 API calls 19866->19868 19869 422b40 ___std_exception_destroy ___std_exception_destroy 19867->19869 19867->19873 19868->19873 19869->19873 19902 4036f0 19870->19902 19872 422734 ___std_exception_destroy ___std_exception_destroy 19872->19873 19874 42267b 19874->19872 19874->19873 19876 4258c5 19875->19876 19877 42585b 19875->19877 19878 425948 19876->19878 19879 4258cd 19876->19879 19880 42df02 ___std_exception_copy 19877->19880 19881 42df02 ___std_exception_copy 19878->19881 19885 42df02 ___std_exception_copy 19879->19885 19894 425909 19879->19894 19882 42586a 19880->19882 19883 425957 19881->19883 19884 414090 2 API calls 19882->19884 19913 414090 19883->19913 19887 425889 19884->19887 19888 4258ea 19885->19888 19918 411940 19887->19918 19891 414090 2 API calls 19888->19891 19889 425976 19892 411940 2 API calls 19889->19892 19891->19894 19895 42599e 19892->19895 19894->19862 19895->19862 19898 415c50 19896->19898 19897 42df02 ___std_exception_copy 19899 415ca8 19897->19899 19898->19897 19901 415cc2 19898->19901 19900 414090 2 API calls 19899->19900 19900->19901 19901->19865 19903 403702 19902->19903 19904 403726 19902->19904 19905 403709 19903->19905 19906 40373f 19903->19906 19907 403738 19904->19907 19910 42df02 ___std_exception_copy 19904->19910 19909 42df02 ___std_exception_copy 19905->19909 19908 403070 Concurrency::cancel_current_task ___std_exception_copy 19906->19908 19907->19874 19912 40370f 19908->19912 19909->19912 19911 403730 19910->19911 19911->19874 19912->19874 19914 4140b8 19913->19914 19915 4140c7 19914->19915 19916 4036f0 2 API calls 19914->19916 19915->19889 19917 41410a 19916->19917 19917->19889 19921 415690 19918->19921 19920 411952 19920->19862 19922 4156c9 19921->19922 19924 415710 19921->19924 19923 41a1c0 2 API calls 19922->19923 19926 4156f2 19922->19926 19927 41590a 19922->19927 19923->19926 19924->19926 19924->19927 19929 41a1c0 19924->19929 19926->19927 19928 411940 ___std_exception_copy ___std_exception_copy 19926->19928 19927->19920 19928->19926 19930 41a23c 19929->19930 19931 41a1dc 19929->19931 19939 403070 19930->19939 19933 41a205 19931->19933 19934 41a1e6 19931->19934 19937 42df02 ___std_exception_copy 19933->19937 19938 41a1f3 19933->19938 19934->19930 19935 41a1ed 19934->19935 19936 42df02 ___std_exception_copy 19935->19936 19936->19938 19937->19938 19938->19926 19940 40307e Concurrency::cancel_current_task 19939->19940 19941 40308c ___std_exception_copy 19940->19941 19941->19938 20704 40c5cc 20705 40c5d1 20704->20705 20706 4f2d70 9 API calls 20705->20706 20707 40c6b8 20706->20707 20708 40c7a8 20707->20708 20710 40c6c3 20707->20710 20709 4f2870 13 API calls 20708->20709 20713 40c7b7 20709->20713 20711 40c787 CopyFileA 20710->20711 20712 40c79e 20711->20712 20712->20708 20715 40c7a2 20712->20715 20714 40c88a CreateDirectoryA 20713->20714 20716 40c895 20714->20716 20717 40cc52 20714->20717 20715->20713 20718 40cd13 CreateDirectoryA 20717->20718 20719 40d24d 20718->20719 20722 40cd1e 20718->20722 20720 40d32f CreateDirectoryA 20719->20720 20721 40d33c 20720->20721 20723 4f2870 13 API calls 20721->20723 20730 40de86 20721->20730 20724 414090 2 API calls 20722->20724 20723->20730 20725 40cea5 20724->20725 20726 4d0620 11 API calls 20725->20726 20737 40ceb4 20726->20737 20727 40d238 20727->20719 20728 4f2870 13 API calls 20727->20728 20728->20719 20729 414090 2 API calls 20729->20737 20731 40dfb3 CreateDirectoryA 20730->20731 20773 410626 20730->20773 20734 40dfc0 20731->20734 20731->20773 20732 410748 CreateDirectoryA 20733 410755 20732->20733 20735 40e083 CreateDirectoryA 20734->20735 20736 40e090 20735->20736 20738 40e397 20735->20738 20737->20727 20737->20729 20743 40d0fa 20737->20743 20739 40e456 CreateDirectoryA 20738->20739 20741 40e463 20739->20741 20740 40d1d9 CopyFileA 20740->20743 20742 40e791 CreateDirectoryA 20741->20742 20744 40e960 20742->20744 20748 40e79e 20742->20748 20743->20737 20743->20740 20745 40ea46 CreateDirectoryA 20744->20745 20746 40f9f6 20745->20746 20754 40ea53 20745->20754 20747 40fac7 CreateDirectoryA 20746->20747 20756 40fad4 20747->20756 20779 4100cb 20747->20779 20749 4f2cd0 4 API calls 20748->20749 20750 40e921 20749->20750 20752 414090 2 API calls 20750->20752 20760 40e94e 20750->20760 20751 4101ad CreateDirectoryA 20755 40e939 20752->20755 20753 4f2870 13 API calls 20753->20744 20758 4f2cd0 4 API calls 20754->20758 20757 414090 2 API calls 20755->20757 20765 414090 2 API calls 20756->20765 20757->20760 20761 40ebda 20758->20761 20760->20744 20760->20753 20763 40f9e7 20761->20763 20768 40ebe2 20761->20768 20773->20732 20773->20733 20779->20751 20806 40e250 20807 40e255 20806->20807 20808 4f2cd0 4 API calls 20807->20808 20809 40e331 20808->20809 20811 414090 2 API calls 20809->20811 20814 40e35e 20809->20814 20810 4f2870 13 API calls 20815 40e370 20810->20815 20812 40e349 20811->20812 20813 414090 2 API calls 20812->20813 20813->20814 20814->20810 20814->20815 20816 40e456 CreateDirectoryA 20815->20816 20817 40e463 20816->20817 20818 40e791 CreateDirectoryA 20817->20818 20819 40e960 20818->20819 20823 40e79e 20818->20823 20820 40ea46 CreateDirectoryA 20819->20820 20821 40f9f6 20820->20821 20829 40ea53 20820->20829 20822 40fac7 CreateDirectoryA 20821->20822 20831 40fad4 20822->20831 20853 4100cb 20822->20853 20824 4f2cd0 4 API calls 20823->20824 20825 40e921 20824->20825 20827 414090 2 API calls 20825->20827 20835 40e94e 20825->20835 20826 4101ad CreateDirectoryA 20837 4101ba 20826->20837 20866 4105ff 20826->20866 20830 40e939 20827->20830 20828 4f2870 13 API calls 20828->20819 20833 4f2cd0 4 API calls 20829->20833 20832 414090 2 API calls 20830->20832 20840 414090 2 API calls 20831->20840 20832->20835 20836 40ebda 20833->20836 20834 4f2870 13 API calls 20860 410626 20834->20860 20835->20819 20835->20828 20838 40f9e7 20836->20838 20843 40ebe2 20836->20843 20837->20837 20842 4034e0 2 API calls 20837->20842 20839 4f2870 13 API calls 20838->20839 20839->20821 20841 40fc5b 20840->20841 20844 4d0620 11 API calls 20841->20844 20847 41028c 20842->20847 20845 4f2cd0 4 API calls 20843->20845 20870 40fc6a 20844->20870 20846 40eca8 20845->20846 20851 40ecb0 20846->20851 20855 40ed7d 20846->20855 20847->20847 20848 41c4c0 2 API calls 20847->20848 20858 410358 20848->20858 20849 4100b6 20850 4f2870 13 API calls 20849->20850 20849->20853 20850->20853 20854 40ed72 CreateDirectoryA 20851->20854 20852 414090 2 API calls 20852->20870 20853->20826 20854->20855 20856 414090 2 API calls 20855->20856 20857 40ee67 20855->20857 20856->20857 20859 4f2cd0 4 API calls 20858->20859 20865 410385 20859->20865 20861 410748 CreateDirectoryA 20860->20861 20863 410755 20860->20863 20861->20863 20862 4105f0 20864 4f2870 13 API calls 20862->20864 20864->20866 20865->20862 20867 4f2d70 9 API calls 20865->20867 20866->20834 20866->20860 20868 410441 20867->20868 20868->20862 20869 41044c 20868->20869 20872 4105c0 CopyFileA 20869->20872 20870->20849 20870->20852 20873 40ff60 20870->20873 20871 410057 CopyFileA 20871->20873 20874 4105d7 20872->20874 20873->20870 20873->20871 20874->20862 21005 4109d3 21006 4109d8 21005->21006 21007 41c4c0 2 API calls 21006->21007 21008 410a9b 21007->21008 21009 4f2cd0 4 API calls 21008->21009 21010 410ac8 21009->21010 21012 414090 2 API calls 21010->21012 21015 410af5 21010->21015 21011 4f2870 13 API calls 21016 410b07 21011->21016 21013 410ae0 21012->21013 21014 414090 2 API calls 21013->21014 21014->21015 21015->21011 21015->21016 21017 4f2870 13 API calls 21016->21017 21018 410b43 21016->21018 21017->21018 21043 40ca55 21044 40ca5a 21043->21044 21045 4f2d70 9 API calls 21044->21045 21046 40cb41 21045->21046 21047 40cc31 21046->21047 21049 40cb4c 21046->21049 21048 4f2870 13 API calls 21047->21048 21050 40cc40 21048->21050 21051 40cc10 CopyFileA 21049->21051 21053 40cd13 CreateDirectoryA 21050->21053 21052 40cc27 21051->21052 21052->21047 21054 40cc2b 21052->21054 21055 40d24d 21053->21055 21058 40cd1e 21053->21058 21054->21050 21056 40d32f CreateDirectoryA 21055->21056 21057 40d33c 21056->21057 21059 4f2870 13 API calls 21057->21059 21066 40de86 21057->21066 21060 414090 2 API calls 21058->21060 21059->21066 21061 40cea5 21060->21061 21062 4d0620 11 API calls 21061->21062 21063 40ceb4 21062->21063 21065 414090 2 API calls 21063->21065 21077 40d238 21063->21077 21079 40d0fa 21063->21079 21064 4f2870 13 API calls 21064->21055 21065->21063 21067 40dfb3 CreateDirectoryA 21066->21067 21110 410626 21066->21110 21070 40dfc0 21067->21070 21067->21110 21068 410748 CreateDirectoryA 21069 410755 21068->21069 21071 40e083 CreateDirectoryA 21070->21071 21072 40e090 21071->21072 21073 40e397 21071->21073 21074 40e456 CreateDirectoryA 21073->21074 21076 40e463 21074->21076 21075 40d1d9 CopyFileA 21075->21079 21078 40e791 CreateDirectoryA 21076->21078 21077->21055 21077->21064 21080 40e960 21078->21080 21084 40e79e 21078->21084 21079->21063 21079->21075 21081 40ea46 CreateDirectoryA 21080->21081 21082 40f9f6 21081->21082 21091 40ea53 21081->21091 21083 40fac7 CreateDirectoryA 21082->21083 21087 4100cb 21083->21087 21093 40fad4 21083->21093 21085 4f2cd0 4 API calls 21084->21085 21086 40e921 21085->21086 21089 414090 2 API calls 21086->21089 21097 40e94e 21086->21097 21088 4101ad CreateDirectoryA 21087->21088 21099 4101ba 21088->21099 21125 4105ff 21088->21125 21092 40e939 21089->21092 21090 4f2870 13 API calls 21090->21080 21095 4f2cd0 4 API calls 21091->21095 21094 414090 2 API calls 21092->21094 21102 414090 2 API calls 21093->21102 21094->21097 21098 40ebda 21095->21098 21096 4f2870 13 API calls 21096->21110 21097->21080 21097->21090 21100 40f9e7 21098->21100 21105 40ebe2 21098->21105 21099->21099 21104 4034e0 2 API calls 21099->21104 21101 4f2870 13 API calls 21100->21101 21101->21082 21103 40fc5b 21102->21103 21106 4d0620 11 API calls 21103->21106 21109 41028c 21104->21109 21107 4f2cd0 4 API calls 21105->21107 21129 40fc6a 21106->21129 21108 40eca8 21107->21108 21114 40ecb0 21108->21114 21117 40ed7d 21108->21117 21109->21109 21110->21068 21110->21069 21125->21096 21125->21110 21175 40aed5 21176 40aeda 21175->21176 21177 4f2d70 9 API calls 21176->21177 21178 40afc1 21177->21178 21179 40b0b1 21178->21179 21181 40afcc 21178->21181 21180 4f2870 13 API calls 21179->21180 21182 40b0c0 21180->21182 21183 40b090 CopyFileA 21181->21183 21185 40b193 CreateDirectoryA 21182->21185 21184 40b0a7 21183->21184 21184->21179 21186 40b0ab 21184->21186 21187 40b19e 21185->21187 21186->21182 21188 40bf0a CreateDirectoryA 21187->21188 21189 40bf15 21188->21189 21190 40c499 CreateDirectoryA 21189->21190 21191 40c4a4 21190->21191 21192 40c7c9 21190->21192 21193 40c88a CreateDirectoryA 21192->21193 21194 40c895 21193->21194 21195 40cc52 21193->21195 21196 40cd13 CreateDirectoryA 21195->21196 21197 40d24d 21196->21197 21200 40cd1e 21196->21200 21198 40d32f CreateDirectoryA 21197->21198 21199 40d33c 21198->21199 21201 4f2870 13 API calls 21199->21201 21207 40de86 21199->21207 21202 414090 2 API calls 21200->21202 21201->21207 21203 40cea5 21202->21203 21204 4d0620 11 API calls 21203->21204 21209 40ceb4 21204->21209 21205 4f2870 13 API calls 21205->21197 21206 414090 2 API calls 21206->21209 21208 410626 21207->21208 21210 40dfb3 CreateDirectoryA 21207->21210 21211 410748 CreateDirectoryA 21208->21211 21212 410755 21208->21212 21209->21206 21220 40d238 21209->21220 21222 40d0fa 21209->21222 21210->21208 21213 40dfc0 21210->21213 21211->21212 21214 40e083 CreateDirectoryA 21213->21214 21215 40e090 21214->21215 21216 40e397 21214->21216 21217 40e456 CreateDirectoryA 21216->21217 21219 40e463 21217->21219 21218 40d1d9 CopyFileA 21218->21222 21221 40e791 CreateDirectoryA 21219->21221 21220->21197 21220->21205 21222->21209 21222->21218 21277 40c155 21278 40c15a 21277->21278 21279 4f2d70 9 API calls 21278->21279 21280 40c241 21279->21280 21281 4f2870 13 API calls 21280->21281 21282 40c3c6 21281->21282 21283 40c499 CreateDirectoryA 21282->21283 21284 40c4a4 21283->21284 21285 40c7c9 21283->21285 21286 40c88a CreateDirectoryA 21285->21286 21287 40c895 21286->21287 21288 40cc52 21286->21288 21289 40cd13 CreateDirectoryA 21288->21289 21290 40d24d 21289->21290 21293 40cd1e 21289->21293 21291 40d32f CreateDirectoryA 21290->21291 21292 40d33c 21291->21292 21294 4f2870 13 API calls 21292->21294 21301 40de86 21292->21301 21295 414090 2 API calls 21293->21295 21294->21301 21296 40cea5 21295->21296 21297 4d0620 11 API calls 21296->21297 21309 40ceb4 21297->21309 21298 40d238 21298->21290 21299 4f2870 13 API calls 21298->21299 21299->21290 21300 414090 2 API calls 21300->21309 21302 410626 21301->21302 21303 40dfb3 CreateDirectoryA 21301->21303 21304 410748 CreateDirectoryA 21302->21304 21305 410755 21302->21305 21303->21302 21306 40dfc0 21303->21306 21304->21305 21307 40e083 CreateDirectoryA 21306->21307 21308 40e090 21307->21308 21310 40e397 21307->21310 21309->21298 21309->21300 21315 40d0fa 21309->21315 21311 40e456 CreateDirectoryA 21310->21311 21313 40e463 21311->21313 21312 40d1d9 CopyFileA 21312->21315 21314 40e791 CreateDirectoryA 21313->21314 21316 40e960 21314->21316 21321 40e79e 21314->21321 21315->21309 21315->21312 21317 40ea46 CreateDirectoryA 21316->21317 21318 40f9f6 21317->21318 21319 40ea53 21317->21319 21320 40fac7 CreateDirectoryA 21318->21320 21329 4f2cd0 4 API calls 21319->21329 21331 40fad4 21320->21331 21354 4100cb 21320->21354 21322 4f2cd0 4 API calls 21321->21322 21323 40e921 21322->21323 21325 414090 2 API calls 21323->21325 21332 40e94e 21323->21332 21327 40e939 21325->21327 21326 4f2870 13 API calls 21326->21316 21333 40ebda 21329->21333 21332->21316 21332->21326 21673 408fe1 21674 408ff2 FreeLibrary 21673->21674 21675 408ff9 21673->21675 21674->21675 21676 40b362 21677 40b367 21676->21677 21678 4f2d70 9 API calls 21677->21678 21680 40b44e 21678->21680 21679 40b5c6 21680->21679 21681 40b588 21680->21681 21682 40b5a3 CopyFileA 21681->21682 21683 40b5ba 21682->21683 21683->21679 21694 40d468 21695 40d46d 21694->21695 21696 4f2cd0 4 API calls 21695->21696 21697 40d483 21696->21697 21698 4f2cd0 4 API calls 21697->21698 21699 40d5e1 21698->21699 21701 414090 2 API calls 21699->21701 21719 40de0f 21699->21719 21700 4f2870 13 API calls 21704 40de5f 21700->21704 21702 40d5fa 21701->21702 21703 4d0620 11 API calls 21702->21703 21710 40d609 21703->21710 21705 4f2870 13 API calls 21704->21705 21711 40de86 21704->21711 21705->21711 21706 414090 2 API calls 21706->21710 21707 40d8bc 21708 4f2cd0 4 API calls 21707->21708 21709 40d982 21708->21709 21712 40d98a 21709->21712 21714 40da5f 21709->21714 21710->21706 21710->21707 21728 40d74e 21710->21728 21717 40dfb3 CreateDirectoryA 21711->21717 21764 410626 21711->21764 21713 40da4c CreateDirectoryA 21712->21713 21713->21714 21715 40da59 21713->21715 21716 414090 2 API calls 21714->21716 21726 40db4f 21714->21726 21715->21714 21716->21726 21722 40dfc0 21717->21722 21717->21764 21718 410748 CreateDirectoryA 21720 410755 21718->21720 21719->21700 21719->21704 21721 40d85d CopyFileA 21721->21728 21724 40e083 CreateDirectoryA 21722->21724 21723 40de01 21725 437938 9 API calls 21723->21725 21727 40e090 21724->21727 21730 40e397 21724->21730 21725->21719 21726->21719 21726->21723 21789 403770 21726->21789 21728->21710 21728->21721 21731 40e456 CreateDirectoryA 21730->21731 21732 40e463 21731->21732 21733 40e791 CreateDirectoryA 21732->21733 21734 40e960 21733->21734 21738 40e79e 21733->21738 21735 40ea46 CreateDirectoryA 21734->21735 21736 40f9f6 21735->21736 21745 40ea53 21735->21745 21737 40fac7 CreateDirectoryA 21736->21737 21741 4100cb 21737->21741 21747 40fad4 21737->21747 21739 4f2cd0 4 API calls 21738->21739 21740 40e921 21739->21740 21743 414090 2 API calls 21740->21743 21751 40e94e 21740->21751 21742 4101ad CreateDirectoryA 21741->21742 21753 4101ba 21742->21753 21779 4105ff 21742->21779 21746 40e939 21743->21746 21744 4f2870 13 API calls 21744->21734 21749 4f2cd0 4 API calls 21745->21749 21748 414090 2 API calls 21746->21748 21756 414090 2 API calls 21747->21756 21748->21751 21752 40ebda 21749->21752 21750 4f2870 13 API calls 21750->21764 21751->21734 21751->21744 21754 40f9e7 21752->21754 21759 40ebe2 21752->21759 21753->21753 21758 4034e0 2 API calls 21753->21758 21755 4f2870 13 API calls 21754->21755 21755->21736 21757 40fc5b 21756->21757 21760 4d0620 11 API calls 21757->21760 21763 41028c 21758->21763 21761 4f2cd0 4 API calls 21759->21761 21783 40fc6a 21760->21783 21762 40eca8 21761->21762 21768 40ecb0 21762->21768 21771 40ed7d 21762->21771 21763->21763 21765 41c4c0 2 API calls 21763->21765 21764->21718 21764->21720 21774 410358 21765->21774 21766 4100b6 21766->21741 21767 4f2870 13 API calls 21766->21767 21767->21741 21770 40ed72 CreateDirectoryA 21768->21770 21769 414090 2 API calls 21769->21783 21770->21771 21772 414090 2 API calls 21771->21772 21773 40ee67 21771->21773 21772->21773 21779->21750 21779->21764 21783->21766 21783->21769 21786 40ff60 21783->21786 21784 410057 CopyFileA 21784->21786 21786->21783 21786->21784 21790 403787 21789->21790 21793 43b5c3 21790->21793 21792 403791 21792->21726 21794 43b5d7 21793->21794 21796 43b5f9 21794->21796 21797 438c26 21794->21797 21796->21792 21798 438c32 21797->21798 21801 439b5b 21798->21801 21802 439b82 21801->21802 21805 439da3 21802->21805 21804 439bc9 21806 439dbe 21805->21806 21808 439dc9 21806->21808 21809 43a8bd 21806->21809 21808->21804 21810 43a8e1 21809->21810 21826 40aa6a 21827 40aa6f 21826->21827 21828 4f2d70 9 API calls 21827->21828 21829 40aab4 21828->21829 21830 40aba4 21829->21830 21832 40aabf 21829->21832 21831 4f2870 13 API calls 21830->21831 21833 40abb3 21831->21833 21834 40ab83 CopyFileA 21832->21834 21835 4f2870 13 API calls 21833->21835 21838 40abda 21833->21838 21836 40ab9a 21834->21836 21835->21838 21836->21830 21837 40ab9e 21836->21837 21837->21833 21839 40de86 21838->21839 21841 40acd2 CreateDirectoryA 21838->21841 21840 410626 21839->21840 21842 40dfb3 CreateDirectoryA 21839->21842 21843 410748 CreateDirectoryA 21840->21843 21844 410755 21840->21844 21841->21839 21845 40acdd 21841->21845 21842->21840 21846 40dfc0 21842->21846 21843->21844 21847 40ada2 CreateDirectoryA 21845->21847 21848 40e083 CreateDirectoryA 21846->21848 21850 40adad 21847->21850 21849 40e090 21848->21849 21852 40e397 21848->21852 21851 40b193 CreateDirectoryA 21850->21851 21854 40b19e 21851->21854 21853 40e456 CreateDirectoryA 21852->21853 21855 40e463 21853->21855 21856 40bf0a CreateDirectoryA 21854->21856 21857 40e791 CreateDirectoryA 21855->21857 21858 40bf15 21856->21858 21860 40e960 21857->21860 21867 40e79e 21857->21867 21859 40c499 CreateDirectoryA 21858->21859 21861 40c4a4 21859->21861 21863 40c7c9 21859->21863 21862 40ea46 CreateDirectoryA 21860->21862 21877 40ea53 21862->21877 21892 40f9f6 21862->21892 21864 40c88a CreateDirectoryA 21863->21864 21866 40c895 21864->21866 21870 40cc52 21864->21870 21865 40fac7 CreateDirectoryA 21872 4100cb 21865->21872 21878 40fad4 21865->21878 21868 4f2cd0 4 API calls 21867->21868 21869 40e921 21868->21869 21874 414090 2 API calls 21869->21874 21882 40e94e 21869->21882 21871 40cd13 CreateDirectoryA 21870->21871 21884 40d24d 21871->21884 21891 40cd1e 21871->21891 21873 4101ad CreateDirectoryA 21872->21873 21886 4101ba 21873->21886 21921 4105ff 21873->21921 21876 40e939 21874->21876 21875 4f2870 13 API calls 21875->21860 21879 414090 2 API calls 21876->21879 21880 4f2cd0 4 API calls 21877->21880 21890 414090 2 API calls 21878->21890 21879->21882 21883 40ebda 21880->21883 21881 4f2870 13 API calls 21881->21840 21882->21860 21882->21875 21887 40f9e7 21883->21887 21895 40ebe2 21883->21895 21885 40d32f CreateDirectoryA 21884->21885 21888 40d33c 21885->21888 21886->21886 21894 4034e0 2 API calls 21886->21894 21889 4f2870 13 API calls 21887->21889 21888->21839 21897 4f2870 13 API calls 21888->21897 21889->21892 21893 40fc5b 21890->21893 21899 414090 2 API calls 21891->21899 21892->21865 21896 4d0620 11 API calls 21893->21896 21902 41028c 21894->21902 21898 4f2cd0 4 API calls 21895->21898 21925 40fc6a 21896->21925 21897->21839 21900 40eca8 21898->21900 21901 40cea5 21899->21901 21907 40ecb0 21900->21907 21910 40ed7d 21900->21910 21903 4d0620 11 API calls 21901->21903 21902->21902 21904 41c4c0 2 API calls 21902->21904 21927 40ceb4 21903->21927 21915 410358 21904->21915 21905 4100b6 21905->21872 21906 4f2870 13 API calls 21905->21906 21906->21872 21909 40ed72 CreateDirectoryA 21907->21909 21908 414090 2 API calls 21908->21925 21909->21910 21911 414090 2 API calls 21910->21911 21913 40ee67 21910->21913 21911->21913 21912 40d238 21912->21884 21916 414090 2 API calls 21916->21927 21921->21840 21921->21881 21925->21905 21925->21908 21929 40ff60 21925->21929 21926 410057 CopyFileA 21926->21929 21927->21912 21927->21916 21933 40d0fa 21927->21933 21929->21925 21929->21926 21933->21927 22029 4d1860 22030 42df02 ___std_exception_copy 22029->22030 22031 4d18a2 22030->22031 22032 414090 2 API calls 22031->22032 22033 4d18f6 22032->22033 22053 4f3550 22033->22053 22035 4d18fe DeleteFileA 22036 4d1927 22035->22036 22037 416930 2 API calls 22036->22037 22038 4d19d2 22036->22038 22037->22038 22039 4034e0 2 API calls 22038->22039 22040 4d1b2c 22039->22040 22041 4081e0 5 API calls 22040->22041 22042 4d1b35 22041->22042 22068 407d50 22042->22068 22044 4d1b71 22044->22044 22045 4034e0 2 API calls 22044->22045 22046 4d1c34 22045->22046 22047 4081e0 5 API calls 22046->22047 22048 4d1c3d 22047->22048 22054 42df02 ___std_exception_copy 22053->22054 22055 4f359b 22054->22055 22056 437e86 5 API calls 22055->22056 22058 4f36f0 22055->22058 22057 4f368f 22056->22057 22059 433c3b 3 API calls 22057->22059 22058->22035 22060 4f3698 22059->22060 22061 437e86 5 API calls 22060->22061 22062 4f36a7 22061->22062 22063 416930 2 API calls 22062->22063 22064 4f36b6 22062->22064 22063->22064 22065 43c92f __fread_nolock 9 API calls 22064->22065 22066 4f36ea 22065->22066 22067 437938 9 API calls 22066->22067 22067->22058 22072 407d95 22068->22072 22069 42df02 ___std_exception_copy 22070 407f4d 22069->22070 22071 416930 2 API calls 22070->22071 22074 407fb4 22070->22074 22071->22074 22072->22069 22073 4080a0 GetModuleHandleA GetProcAddress WSASend 22073->22074 22075 408168 22073->22075 22074->22073 22074->22075 22075->22044 22076 4db860 22077 4db940 22076->22077 22077->22077 22078 41b4a0 2 API calls 22077->22078 22095 4dd7f4 22077->22095 22079 4db98c 22078->22079 22080 41b4a0 2 API calls 22079->22080 22079->22095 22081 4dba7f 22080->22081 22082 41b4a0 2 API calls 22081->22082 22081->22095 22083 4dbb6f 22082->22083 22084 4dbb86 GetModuleFileNameA 22083->22084 22085 4dbbc4 22084->22085 22085->22085 22086 4034e0 2 API calls 22085->22086 22087 4dbbe0 22086->22087 22088 4dbc08 GetUserNameA 22087->22088 22089 4dbcc0 22088->22089 22089->22089 22090 4034e0 2 API calls 22089->22090 22092 4dc0c8 22089->22092 22096 4dbcfa 22090->22096 22091 4dc960 22094 4034e0 2 API calls 22091->22094 22091->22095 22092->22091 22092->22092 22093 4034e0 2 API calls 22092->22093 22092->22095 22104 4dc4bb 22093->22104 22101 4dd4a6 22094->22101 22095->22095 22097 4dd95d 22095->22097 22099 41b4a0 2 API calls 22095->22099 22098 4f2cd0 4 API calls 22096->22098 22100 4dbdec 22098->22100 22105 4ddafc 22099->22105 22102 407b10 2 API calls 22100->22102 22107 4dbdf8 22100->22107 22101->22095 22103 41b4a0 2 API calls 22101->22103 22102->22107 22121 4dd625 22103->22121 22106 4f2cd0 4 API calls 22104->22106 22109 41b4a0 2 API calls 22105->22109 22111 4dc5ac 22106->22111 22107->22092 22107->22095 22108 41b4a0 2 API calls 22107->22108 22114 4dbf6f 22108->22114 22110 4ddbef 22109->22110 22117 41b4a0 2 API calls 22110->22117 22113 4034e0 2 API calls 22111->22113 22116 4dc609 22111->22116 22115 4dc5f6 22113->22115 22114->22095 22124 414090 2 API calls 22114->22124 22118 407b10 2 API calls 22115->22118 22116->22091 22116->22095 22120 41b4a0 2 API calls 22116->22120 22119 4ddcdc 22117->22119 22118->22116 22122 4ddcf3 GetModuleFileNameA 22119->22122 22135 4dc7fc 22120->22135 22121->22095 22125 4dd741 __Xtime_get_ticks __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 22121->22125 22123 4ddd31 22122->22123 22123->22123 22128 4034e0 2 API calls 22123->22128 22126 4dc07e 22124->22126 22131 4dd758 22125->22131 22127 4f2d70 9 API calls 22126->22127 22129 4dc083 22127->22129 22133 4ddd4d 22128->22133 22129->22092 22130 4dc08e CopyFileA 22129->22130 22130->22092 22132 4dd7a9 22131->22132 22134 4034e0 2 API calls 22131->22134 22137 43beb8 5 API calls 22132->22137 22140 4034e0 2 API calls 22133->22140 22134->22132 22135->22095 22136 414090 2 API calls 22135->22136 22138 4dc916 22136->22138 22139 4dd7ee 22137->22139 22141 4f2d70 9 API calls 22138->22141 22142 437938 9 API calls 22139->22142 22145 4dde33 22140->22145 22143 4dc91b 22141->22143 22142->22095 22143->22091 22144 4dc926 CopyFileA 22143->22144 22144->22091 22146 4f2cd0 4 API calls 22145->22146 22147 4ddf21 22146->22147 22148 407b10 2 API calls 22147->22148 22149 4ddf2d 22147->22149 22148->22149 22150 41b4a0 2 API calls 22149->22150 22151 4de0a4 22150->22151 22152 414090 2 API calls 22151->22152 22153 4de165 22152->22153 22154 4f2d70 9 API calls 22153->22154 22155 4de16a CopyFileA 22154->22155 22157 4de1af 22155->22157 22158 437aee 22159 437afc 22158->22159 22162 437b06 22158->22162 22160 446260 3 API calls 22159->22160 22161 437b03 22160->22161 22164 437b34 22162->22164 22167 446260 DeleteFileW 22162->22167 22165 437b52 22164->22165 22166 4458aa __wsopen_s 2 API calls 22164->22166 22166->22165 22168 446284 22167->22168 22169 446272 GetLastError __dosmaperr 22167->22169 22168->22164 22169->22164 22201 4f6660 22206 4f66c2 22201->22206 22203 4f6848 22239 417be0 22203->22239 22204 4f71c5 22206->22204 22224 504e40 22206->22224 22207 4f71a3 22207->22204 22210 4f71bb 22207->22210 22213 504970 8 API calls 22207->22213 22208 4f7191 22275 506dd0 22208->22275 22209 4f7129 22209->22207 22209->22208 22290 504970 22209->22290 22214 506dd0 10 API calls 22210->22214 22213->22210 22214->22204 22215 4f6a1e GetFileAttributesA 22218 4f689d 22215->22218 22216 41b4a0 2 API calls 22216->22218 22217 504970 8 API calls 22217->22218 22218->22204 22218->22209 22218->22215 22218->22216 22218->22217 22221 4f7045 std::ios_base::_Ios_base_dtor 22218->22221 22247 506920 22218->22247 22256 417280 22218->22256 22260 413180 22218->22260 22264 405de0 22218->22264 22221->22218 22225 504e4d 22224->22225 22226 504f0c 22225->22226 22233 504f6d 22225->22233 22297 437e4c 22225->22297 22293 433bfa 22226->22293 22229 504f15 22230 504f66 22229->22230 22235 504f79 22229->22235 22301 501390 22230->22301 22232 504fb5 22232->22203 22233->22203 22234 504fa0 22237 43c526 2 API calls 22234->22237 22235->22232 22235->22234 22236 43c526 2 API calls 22235->22236 22236->22234 22238 504fa9 22237->22238 22238->22203 22240 417c23 22239->22240 22308 405ad0 22240->22308 22242 417c53 22243 42df02 ___std_exception_copy 22242->22243 22246 417c98 22242->22246 22243->22246 22245 417e01 22245->22218 22246->22245 22315 42c82b 22246->22315 22248 506931 22247->22248 22249 50693b 22247->22249 22248->22218 22250 504970 8 API calls 22249->22250 22251 506947 22249->22251 22250->22251 22252 506a19 22251->22252 22253 506c9b 22251->22253 22329 501430 22251->22329 22252->22253 22332 4fdf10 22252->22332 22253->22218 22257 4172a5 22256->22257 22259 4172b1 22256->22259 22349 42d404 22257->22349 22259->22218 22261 4131c1 22260->22261 22262 413201 22261->22262 22355 4122a0 22261->22355 22262->22218 22265 405f2b 22264->22265 22266 405e1b 22264->22266 22361 405d90 22265->22361 22266->22265 22268 405eec 22266->22268 22270 405e94 22266->22270 22269 405ad0 3 API calls 22268->22269 22273 405f26 22269->22273 22270->22218 22271 42c82b FindClose FindFirstFileExW GetLastError 22271->22273 22272 406090 22272->22218 22273->22271 22273->22272 22274 42c80a FindNextFileW GetLastError ___std_fs_directory_iterator_advance@8 22273->22274 22274->22273 22276 506df2 22275->22276 22277 506de8 22275->22277 22278 506dfe 22276->22278 22279 504970 8 API calls 22276->22279 22277->22207 22281 506e20 22278->22281 22289 501430 3 API calls 22278->22289 22279->22278 22280 43c526 2 API calls 22280->22281 22281->22280 22284 506eb2 22281->22284 22282 507105 22283 507126 22282->22283 22285 43c526 2 API calls 22282->22285 22286 43c526 2 API calls 22283->22286 22288 501390 9 API calls 22284->22288 22285->22283 22287 50712f 22286->22287 22287->22207 22288->22282 22289->22281 22366 5041a0 22290->22366 22292 50497e 22292->22208 22294 433c0e 22293->22294 22304 4335d1 22294->22304 22296 433c1a 22296->22229 22298 437e5f 22297->22298 22299 437bdd 5 API calls 22298->22299 22300 437e74 22299->22300 22300->22226 22302 437938 9 API calls 22301->22302 22303 50139b 22302->22303 22303->22233 22305 4335dd 22304->22305 22306 433692 3 API calls 22305->22306 22307 4335e4 22305->22307 22306->22307 22307->22296 22309 405b0e 22308->22309 22310 405ba9 ___std_fs_directory_iterator_open 22309->22310 22313 405bd9 22309->22313 22311 405bba 22310->22311 22310->22313 22322 405aa0 22311->22322 22313->22242 22316 42c841 22315->22316 22317 42c834 FindClose 22315->22317 22316->22245 22317->22316 22318 42c845 22317->22318 22319 42c859 FindFirstFileExW 22318->22319 22320 42c874 22319->22320 22321 42c878 GetLastError 22319->22321 22320->22245 22321->22320 22325 405aad 22322->22325 22323 405ac7 22323->22242 22325->22323 22326 42c80a FindNextFileW 22325->22326 22327 42c821 GetLastError 22326->22327 22328 42c81d 22326->22328 22327->22328 22328->22325 22330 433bfa 3 API calls 22329->22330 22331 50143b 22330->22331 22331->22252 22333 4fe158 22332->22333 22334 4fdf2c 22332->22334 22333->22253 22336 4fe0ee 22334->22336 22337 4fe1e0 22334->22337 22336->22253 22338 4fe2f1 22337->22338 22339 4fe1f3 22337->22339 22338->22336 22339->22338 22340 4fe293 22339->22340 22346 507140 22339->22346 22341 4fe2b0 22340->22341 22344 507140 2 API calls 22340->22344 22342 4fe2c7 22341->22342 22345 507140 2 API calls 22341->22345 22342->22336 22344->22341 22345->22342 22347 43c526 2 API calls 22346->22347 22348 50714b 22347->22348 22348->22340 22351 42d387 22349->22351 22350 42d3dc 22350->22259 22351->22350 22352 437e86 5 API calls 22351->22352 22353 42d3ee 22352->22353 22353->22350 22354 437938 9 API calls 22353->22354 22354->22350 22357 4122b8 22355->22357 22356 4122be 22356->22262 22357->22356 22358 43c92f __fread_nolock 9 API calls 22357->22358 22359 412452 22357->22359 22358->22357 22359->22356 22360 43c92f __fread_nolock 9 API calls 22359->22360 22360->22356 22362 42c80a ___std_fs_directory_iterator_advance@8 2 API calls 22361->22362 22364 405da3 22362->22364 22363 405dcb 22363->22273 22364->22363 22365 42c80a ___std_fs_directory_iterator_advance@8 2 API calls 22364->22365 22365->22364 22367 50495b 22366->22367 22368 5041c0 22366->22368 22367->22292 22368->22367 22369 4fe1e0 2 API calls 22368->22369 22374 504256 22368->22374 22369->22374 22370 504447 22370->22292 22371 43c526 2 API calls 22372 504663 22371->22372 22373 504930 22372->22373 22382 501530 22372->22382 22373->22292 22374->22370 22374->22371 22376 50467e 22387 501560 22376->22387 22378 5046a6 22383 50153b 22382->22383 22385 501544 22382->22385 22386 501430 3 API calls 22383->22386 22384 501540 22384->22376 22385->22376 22386->22384 22388 50156b 22387->22388 22389 501580 22387->22389 22392 5013a0 22388->22392 22389->22378 22415 508060 22416 508081 22415->22416 22417 508075 22415->22417 22418 5561f0 2 API calls 22416->22418 22419 508095 22416->22419 22418->22419 22961 4220f3 22962 422105 22961->22962 22963 422110 22962->22963 22964 42294d 22962->22964 22965 422122 22963->22965 22966 42217c 22963->22966 22968 41c4c0 2 API calls 22964->22968 22967 411940 2 API calls 22965->22967 22969 411940 2 API calls 22966->22969 22972 422013 22966->22972 22967->22972 22970 42296f 22968->22970 22969->22972 22987 407080 22970->22987 22975 422604 22972->22975 22978 42254b 22972->22978 22985 422783 22972->22985 22973 422a58 ___std_exception_destroy ___std_exception_destroy 22973->22978 22974 4229fc 22974->22973 22974->22985 22976 415c20 2 API calls 22975->22976 22975->22985 22977 42262a 22976->22977 22980 422c32 22977->22980 22982 422641 22977->22982 22979 422b40 ___std_exception_destroy ___std_exception_destroy 22978->22979 22978->22985 22979->22985 22981 4036f0 2 API calls 22980->22981 22981->22985 22983 4036f0 2 API calls 22982->22983 22986 42267b 22983->22986 22984 422734 ___std_exception_destroy ___std_exception_destroy 22984->22985 22986->22984 22986->22985 22988 4070f9 22987->22988 22989 4071c8 ___std_exception_copy 22988->22989 22990 40721b 22988->22990 22989->22990 22990->22974 22647 4f2c70 22648 4f2c7d 22647->22648 22649 4f2cab std::_Throw_Cpp_error 22648->22649 22650 4f2c84 22648->22650 22651 4f2cb2 std::_Throw_Cpp_error 22649->22651 22650->22651 22652 4f2c90 CreateDirectoryA 22650->22652 22653 4f2ca4 22652->22653 19942 42e481 19947 42e48d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 19942->19947 19943 42e5e7 20078 43dfae 19943->20078 19945 42e5f4 19946 42e4dd 19947->19943 19947->19946 19952 453c30 19947->19952 19953 42efb0 19952->19953 19954 453c40 Sleep 19953->19954 19955 453c4f 19954->19955 19956 453dc8 GetCurrentProcess SetPriorityClass SetUnhandledExceptionFilter 19955->19956 20081 45a5c0 GetCursorPos 19956->20081 19958 453dea SetThreadExecutionState 19960 453e13 19958->19960 19961 453e20 LoadLibraryA 19960->19961 19962 45412a 19961->19962 19963 45413e GetModuleFileNameA 19962->19963 19964 45416a 19963->19964 19965 414090 2 API calls 19964->19965 19966 45417c 19965->19966 20089 4f3350 19966->20089 19968 45418d 19969 4545a5 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 19968->19969 19970 4545ee __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 19969->19970 19972 45465d GetProcessId 19970->19972 19974 45474f 19972->19974 20521 43dde2 20078->20521 20080 43dfbf 20080->19945 20082 45a5d5 GetCursorPos 20081->20082 20083 45a6a8 GetPEB 20082->20083 20085 45a5e7 20082->20085 20083->20085 20084 45a5f3 GetPEB 20084->20085 20085->20083 20085->20084 20086 45a71d Sleep 20085->20086 20087 45a668 Sleep GetCursorPos 20085->20087 20088 45a747 20085->20088 20086->20082 20087->20083 20087->20085 20088->19958 20090 42df02 ___std_exception_copy 20089->20090 20091 4f339b 20090->20091 20095 4f34fa 20091->20095 20242 437e86 20091->20242 20095->19968 20243 437e99 20242->20243 20262 437bdd 20243->20262 20245 437eae 20263 437be9 20262->20263 20265 437bef 20263->20265 20266 437d60 20263->20266 20265->20245 20267 437d73 20266->20267 20268 437d86 20266->20268 20267->20265 20522 43de0f 20521->20522 20525 43dc73 20522->20525 20524 43de58 20524->20080 20526 43dc7f 20525->20526 20529 43dcfa 20526->20529 20528 43dc96 20528->20524 20531 43dd06 20529->20531 20530 43dd6a 20530->20528 20531->20530 20533 440f65 __EH_prolog3 20531->20533 20536 440cbd 20533->20536 20535 440f98 20535->20530 20537 440cc9 20536->20537 20540 440e75 20537->20540 20539 440ce4 20539->20535 20541 440e8c 20540->20541 20542 440e94 20540->20542 20541->20539 20542->20541 20543 4458aa __wsopen_s 2 API calls 20542->20543 20543->20541 20544 410887 20545 41088c 20544->20545 20546 41089e CreateDirectoryA 20545->20546 20547 4108ab 20546->20547 20548 4f2870 13 API calls 20547->20548 20549 410b43 20548->20549 20550 40b786 20551 40b78b 20550->20551 20554 4f2d70 20551->20554 20553 40b872 20555 4f2e12 20554->20555 20556 437938 9 API calls 20555->20556 20557 4f2e1f 20555->20557 20556->20557 20557->20553 20558 44550f 20559 445525 20558->20559 20560 44554e 20559->20560 20562 43d543 20559->20562 20565 43ceeb 20562->20565 20564 43d55e 20564->20560 20566 43cef7 20565->20566 20568 43cefe 20566->20568 20569 43d4d5 20566->20569 20568->20564 20570 43d4f7 20569->20570 20572 43d50b 20570->20572 20575 43d563 20570->20575 20573 43d53d 20572->20573 20574 4458aa __wsopen_s 2 API calls 20572->20574 20573->20568 20574->20573 20576 43d580 20575->20576 20586 43d595 20576->20586 20593 44902a 20576->20593 20578 43d5b3 20578->20586 20598 43d21c CreateFileW 20578->20598 20580 43d689 GetFileType 20581 43d694 GetLastError __dosmaperr CloseHandle 20580->20581 20587 43d6db 20580->20587 20581->20586 20591 43d6cb 20581->20591 20582 43d65e GetLastError __dosmaperr 20582->20586 20583 43d60c 20583->20580 20583->20582 20599 43d21c CreateFileW 20583->20599 20585 43d651 20585->20580 20585->20582 20586->20572 20587->20586 20588 43d807 CloseHandle 20587->20588 20600 43d21c CreateFileW 20588->20600 20590 43d832 20590->20591 20592 43d83c GetLastError __dosmaperr 20590->20592 20591->20586 20592->20591 20594 449036 20593->20594 20595 4490d1 EnterCriticalSection 20594->20595 20597 449062 20594->20597 20596 4490de LeaveCriticalSection 20595->20596 20595->20597 20596->20594 20597->20578 20598->20583 20599->20585 20600->20590 20601 40e58b 20602 40e590 20601->20602 20603 4f2cd0 4 API calls 20602->20603 20604 40e66c 20603->20604 20605 414090 2 API calls 20604->20605 20609 40e699 20604->20609 20607 40e684 20605->20607 20606 4f2870 13 API calls 20610 40e6ab 20606->20610 20608 414090 2 API calls 20607->20608 20608->20609 20609->20606 20609->20610 20611 40e791 CreateDirectoryA 20610->20611 20612 40e960 20611->20612 20616 40e79e 20611->20616 20613 40ea46 CreateDirectoryA 20612->20613 20614 40f9f6 20613->20614 20622 40ea53 20613->20622 20615 40fac7 CreateDirectoryA 20614->20615 20624 40fad4 20615->20624 20646 4100cb 20615->20646 20617 4f2cd0 4 API calls 20616->20617 20618 40e921 20617->20618 20620 414090 2 API calls 20618->20620 20628 40e94e 20618->20628 20619 4101ad CreateDirectoryA 20630 4101ba 20619->20630 20659 4105ff 20619->20659 20623 40e939 20620->20623 20621 4f2870 13 API calls 20621->20612 20626 4f2cd0 4 API calls 20622->20626 20625 414090 2 API calls 20623->20625 20633 414090 2 API calls 20624->20633 20625->20628 20629 40ebda 20626->20629 20627 4f2870 13 API calls 20653 410626 20627->20653 20628->20612 20628->20621 20631 40f9e7 20629->20631 20636 40ebe2 20629->20636 20630->20630 20635 4034e0 2 API calls 20630->20635 20632 4f2870 13 API calls 20631->20632 20632->20614 20634 40fc5b 20633->20634 20669 4d0620 20634->20669 20640 41028c 20635->20640 20638 4f2cd0 4 API calls 20636->20638 20639 40eca8 20638->20639 20644 40ecb0 20639->20644 20648 40ed7d 20639->20648 20640->20640 20641 41c4c0 2 API calls 20640->20641 20651 410358 20641->20651 20642 4100b6 20643 4f2870 13 API calls 20642->20643 20642->20646 20643->20646 20647 40ed72 CreateDirectoryA 20644->20647 20645 414090 2 API calls 20663 40fc6a 20645->20663 20646->20619 20647->20648 20649 414090 2 API calls 20648->20649 20650 40ee67 20648->20650 20649->20650 20652 4f2cd0 4 API calls 20651->20652 20658 410385 20652->20658 20654 410748 CreateDirectoryA 20653->20654 20656 410755 20653->20656 20654->20656 20655 4105f0 20657 4f2870 13 API calls 20655->20657 20657->20659 20658->20655 20660 4f2d70 9 API calls 20658->20660 20659->20627 20659->20653 20661 410441 20660->20661 20661->20655 20662 41044c 20661->20662 20665 4105c0 CopyFileA 20662->20665 20663->20642 20663->20645 20666 40ff60 20663->20666 20664 410057 CopyFileA 20664->20666 20667 4105d7 20665->20667 20666->20663 20666->20664 20667->20655 20668 4105ea 20667->20668 20668->20659 20670 4d0712 20669->20670 20670->20670 20671 41b4a0 2 API calls 20670->20671 20677 4d0b2b 20670->20677 20672 4d074e FindFirstFileA 20671->20672 20686 4d0785 20672->20686 20673 4d0a5c 20673->20663 20674 4d0a2e FindNextFileA 20675 4d0a44 GetLastError 20674->20675 20674->20686 20676 4d0a53 FindClose 20675->20676 20675->20686 20676->20673 20678 4034e0 2 API calls 20677->20678 20689 4d0d0d 20677->20689 20682 4d0d5b 20678->20682 20679 4034e0 2 API calls 20679->20686 20681 4d0de7 20683 413df0 2 API calls 20681->20683 20682->20689 20692 4d1240 20682->20692 20685 4d0e01 20683->20685 20684 41b4a0 2 API calls 20684->20686 20687 4d0ea8 20685->20687 20688 4d0e0e 20685->20688 20686->20673 20686->20674 20686->20677 20686->20679 20686->20684 20687->20689 20688->20689 20689->20663 20693 4d1260 CryptUnprotectData 20692->20693 20694 4d127b 20693->20694 20696 4d1286 20693->20696 20694->20693 20694->20696 20695 4d12aa 20695->20681 20696->20695 20697 4d12a1 LocalFree 20696->20697 20698 4d12b3 20696->20698 20697->20695 20699 4034e0 2 API calls 20698->20699 20700 4d12ff 20699->20700 20701 43c526 2 API calls 20700->20701 20703 4d1374 20700->20703 20702 4d135f LocalFree 20701->20702 20702->20681 20799 4d1380 20800 414090 2 API calls 20799->20800 20801 4d13b1 20800->20801 20802 414090 2 API calls 20801->20802 20803 4d13c1 20802->20803 20804 4f1f00 SetupDiGetClassDevsA 20805 4f1f22 20804->20805 20876 409010 20877 409067 20876->20877 20877->20877 20878 4034e0 2 API calls 20877->20878 20884 40a467 20877->20884 20879 4091a1 20878->20879 20880 42df02 ___std_exception_copy 20879->20880 20882 409223 20879->20882 20879->20884 20880->20882 20881 411940 2 API calls 21003 409333 20881->21003 20882->20881 20882->20884 20883 40a44a 20885 40abda 20884->20885 20886 40a600 CreateDirectoryA 20884->20886 20887 40de86 20885->20887 20889 40acd2 CreateDirectoryA 20885->20889 20886->20885 20893 40a60b 20886->20893 20888 410626 20887->20888 20890 40dfb3 CreateDirectoryA 20887->20890 20891 410748 CreateDirectoryA 20888->20891 20892 410755 20888->20892 20889->20887 20894 40acdd 20889->20894 20890->20888 20896 40dfc0 20890->20896 20891->20892 20895 40a6d0 CreateDirectoryA 20893->20895 20897 40ada2 CreateDirectoryA 20894->20897 20898 40a6e1 20895->20898 20902 40a828 20895->20902 20899 40e083 CreateDirectoryA 20896->20899 20903 40adad 20897->20903 20900 40a6f4 SHGetFolderPathA 20898->20900 20901 40e090 20899->20901 20906 40e397 20899->20906 20912 40a7af 20900->20912 20904 40a910 CreateDirectoryA 20902->20904 20905 40b193 CreateDirectoryA 20903->20905 20907 40abc5 20904->20907 20908 40a91b 20904->20908 20913 40b19e 20905->20913 20909 40e456 CreateDirectoryA 20906->20909 20907->20885 20910 4f2870 13 API calls 20907->20910 20911 40a92e SHGetFolderPathA 20908->20911 20914 40e463 20909->20914 20910->20885 20917 4f2cd0 4 API calls 20912->20917 20915 40bf0a CreateDirectoryA 20913->20915 20916 40e791 CreateDirectoryA 20914->20916 20919 40bf15 20915->20919 20924 40e960 20916->20924 20933 40e79e 20916->20933 20918 40a7e9 20917->20918 20920 414090 2 API calls 20918->20920 20929 40a816 20918->20929 20922 40c499 CreateDirectoryA 20919->20922 20923 40a801 20920->20923 20921 4f2870 13 API calls 20921->20902 20925 40c4a4 20922->20925 20928 40c7c9 20922->20928 20926 414090 2 API calls 20923->20926 20927 40ea46 CreateDirectoryA 20924->20927 20926->20929 20938 40ea53 20927->20938 20959 40f9f6 20927->20959 20930 40c88a CreateDirectoryA 20928->20930 20929->20902 20929->20921 20932 40c895 20930->20932 20937 40cc52 20930->20937 20931 40fac7 CreateDirectoryA 20940 4100cb 20931->20940 20945 40fad4 20931->20945 20934 4f2cd0 4 API calls 20933->20934 20935 40e921 20934->20935 20942 414090 2 API calls 20935->20942 20949 40e94e 20935->20949 20936 42df02 ___std_exception_copy 20936->21003 20939 40cd13 CreateDirectoryA 20937->20939 20947 4f2cd0 4 API calls 20938->20947 20951 40d24d 20939->20951 20958 40cd1e 20939->20958 20941 4101ad CreateDirectoryA 20940->20941 20953 4101ba 20941->20953 20990 4105ff 20941->20990 20944 40e939 20942->20944 20943 4f2870 13 API calls 20943->20924 20946 414090 2 API calls 20944->20946 20957 414090 2 API calls 20945->20957 20946->20949 20950 40ebda 20947->20950 20948 4f2870 13 API calls 20948->20888 20949->20924 20949->20943 20954 40f9e7 20950->20954 20962 40ebe2 20950->20962 20952 40d32f CreateDirectoryA 20951->20952 20955 40d33c 20952->20955 20953->20953 20961 4034e0 2 API calls 20953->20961 20956 4f2870 13 API calls 20954->20956 20955->20887 20964 4f2870 13 API calls 20955->20964 20956->20959 20960 40fc5b 20957->20960 20966 414090 2 API calls 20958->20966 20959->20931 20963 4d0620 11 API calls 20960->20963 20969 41028c 20961->20969 20965 4f2cd0 4 API calls 20962->20965 20994 40fc6a 20963->20994 20964->20887 20967 40eca8 20965->20967 20968 40cea5 20966->20968 20975 40ecb0 20967->20975 20979 40ed7d 20967->20979 20971 4d0620 11 API calls 20968->20971 20969->20969 20972 41c4c0 2 API calls 20969->20972 20970 4180f0 ___std_exception_copy ___std_exception_copy 20970->21003 20996 40ceb4 20971->20996 20984 410358 20972->20984 20973 4100b6 20973->20940 20974 4f2870 13 API calls 20973->20974 20974->20940 20978 40ed72 CreateDirectoryA 20975->20978 20976 411940 ___std_exception_copy ___std_exception_copy 20976->21003 20977 414090 2 API calls 20977->20994 20978->20979 20980 414090 2 API calls 20979->20980 20982 40ee67 20979->20982 20980->20982 20981 40d238 20981->20951 20983 4f2870 13 API calls 20981->20983 20983->20951 20986 4f2cd0 4 API calls 20984->20986 20985 414090 2 API calls 20985->20996 20989 410385 20986->20989 20987 4105f0 20988 4f2870 13 API calls 20987->20988 20988->20990 20989->20987 20991 4f2d70 9 API calls 20989->20991 20990->20888 20990->20948 20992 410441 20991->20992 20992->20987 20994->20973 20994->20977 20998 40ff60 20994->20998 20995 410057 CopyFileA 20995->20998 20996->20981 20996->20985 21002 40d0fa 20996->21002 20998->20994 20998->20995 20999 40d1d9 CopyFileA 20999->21002 21002->20996 21002->20999 21003->20883 21003->20884 21003->20936 21003->20970 21003->20976 21004 415690 ___std_exception_copy ___std_exception_copy 21003->21004 21004->21003 21019 425390 21022 4253a7 21019->21022 21028 425404 21019->21028 21020 4254a7 21021 403070 Concurrency::cancel_current_task ___std_exception_copy 21020->21021 21021->21028 21022->21020 21023 4253f3 21022->21023 21024 42541a 21022->21024 21023->21020 21025 4253fe 21023->21025 21026 42df02 ___std_exception_copy 21024->21026 21024->21028 21027 42df02 ___std_exception_copy 21025->21027 21026->21028 21027->21028 21029 42df02 ___std_exception_copy 21028->21029 21030 425481 21028->21030 21031 42550f 21029->21031 21032 42551a 21031->21032 21035 4280b0 21031->21035 21034 425624 21036 4280f9 21035->21036 21037 4280b9 21035->21037 21036->21036 21037->21036 21039 42df02 ___std_exception_copy 21037->21039 21041 4280d0 21037->21041 21038 42df02 ___std_exception_copy 21040 4280f2 21038->21040 21039->21041 21040->21034 21041->21038 21042 4280d9 21041->21042 21042->21034 21135 45b010 21136 45b078 21135->21136 21137 45b127 CreateDirectoryA 21136->21137 21138 45c246 21137->21138 21170 45b155 21137->21170 21140 45c308 CreateDirectoryA 21138->21140 21155 45d4dc 21138->21155 21139 45c218 21141 414090 2 API calls 21139->21141 21140->21155 21173 45c330 21140->21173 21144 45c229 21141->21144 21142 45d4ae 21143 414090 2 API calls 21142->21143 21148 45d4bf 21143->21148 21144->21138 21145 4f2870 13 API calls 21144->21145 21145->21138 21146 414090 2 API calls 21147 45d549 21146->21147 21150 4f2870 13 API calls 21148->21150 21148->21155 21149 4036f0 ___std_exception_copy ___std_exception_copy 21149->21170 21150->21155 21151 45db20 std::_Throw_Cpp_error 21153 45db27 std::_Throw_Cpp_error 21151->21153 21152 4036f0 ___std_exception_copy ___std_exception_copy 21152->21173 21153->21155 21154 45dac6 21154->21151 21155->21146 21155->21147 21156 45b6bf CreateDirectoryA 21156->21170 21157 45c8f6 CreateDirectoryA 21157->21173 21158 45c8b1 GetFileAttributesA 21159 45c8bd GetLastError 21158->21159 21160 45c8ad 21158->21160 21159->21160 21160->21157 21160->21158 21160->21173 21161 41b4a0 ___std_exception_copy ___std_exception_copy 21161->21173 21162 45b8db CreateDirectoryA 21162->21170 21163 4034e0 2 API calls 21163->21170 21164 45cb3b CreateDirectoryA 21164->21173 21165 41b4a0 ___std_exception_copy ___std_exception_copy 21165->21170 21166 4034e0 2 API calls 21166->21173 21167 45ba60 CreateDirectoryA 21167->21170 21168 413df0 2 API calls 21168->21170 21169 4f2cd0 GetFileAttributesA GetLastError std::_Throw_Cpp_error std::_Throw_Cpp_error 21169->21173 21170->21139 21170->21149 21170->21154 21170->21156 21170->21162 21170->21163 21170->21165 21170->21167 21170->21168 21171 4f2cd0 GetFileAttributesA GetLastError std::_Throw_Cpp_error std::_Throw_Cpp_error 21170->21171 21171->21170 21172 413df0 2 API calls 21172->21173 21173->21142 21173->21151 21173->21152 21173->21153 21173->21154 21173->21155 21173->21160 21173->21161 21173->21164 21173->21166 21173->21169 21173->21172 21174 45d1e1 CreateDirectoryA 21173->21174 21174->21173 21370 45a790 21371 45a7dd 21370->21371 21379 45a92c 21370->21379 21372 41b4a0 2 API calls 21371->21372 21378 45aa72 21371->21378 21376 45a8b3 21372->21376 21373 41b4a0 2 API calls 21374 45aa5d 21373->21374 21375 414090 2 API calls 21374->21375 21375->21378 21419 4f2150 GdiplusStartup 21376->21419 21380 45aaaa 21378->21380 21381 45b127 CreateDirectoryA 21378->21381 21379->21373 21379->21378 21382 45c246 21381->21382 21414 45b155 21381->21414 21384 45c308 CreateDirectoryA 21382->21384 21398 45d4dc 21382->21398 21383 45c218 21385 414090 2 API calls 21383->21385 21384->21398 21416 45c330 21384->21416 21388 45c229 21385->21388 21386 45d4ae 21387 414090 2 API calls 21386->21387 21392 45d4bf 21387->21392 21388->21382 21389 4f2870 13 API calls 21388->21389 21389->21382 21390 414090 2 API calls 21391 45d549 21390->21391 21393 4f2870 13 API calls 21392->21393 21392->21398 21393->21398 21394 45db20 std::_Throw_Cpp_error 21395 45db27 std::_Throw_Cpp_error 21394->21395 21395->21398 21396 45dac6 21396->21394 21397 4036f0 ___std_exception_copy ___std_exception_copy 21397->21416 21398->21390 21398->21391 21399 45b6bf CreateDirectoryA 21399->21414 21400 45c8f6 CreateDirectoryA 21400->21416 21401 45c8b1 GetFileAttributesA 21402 45c8bd GetLastError 21401->21402 21403 45c8ad 21401->21403 21402->21403 21403->21400 21403->21401 21403->21416 21404 4f2cd0 GetFileAttributesA GetLastError std::_Throw_Cpp_error std::_Throw_Cpp_error 21404->21414 21405 45b8db CreateDirectoryA 21405->21414 21406 4f2cd0 GetFileAttributesA GetLastError std::_Throw_Cpp_error std::_Throw_Cpp_error 21406->21416 21407 4034e0 2 API calls 21407->21414 21408 45cb3b CreateDirectoryA 21408->21416 21409 41b4a0 ___std_exception_copy ___std_exception_copy 21409->21416 21410 41b4a0 ___std_exception_copy ___std_exception_copy 21410->21414 21411 4034e0 2 API calls 21411->21416 21412 45ba60 CreateDirectoryA 21412->21414 21413 413df0 2 API calls 21413->21414 21414->21383 21414->21396 21414->21399 21414->21404 21414->21405 21414->21407 21414->21410 21414->21412 21414->21413 21417 4036f0 ___std_exception_copy ___std_exception_copy 21414->21417 21415 413df0 2 API calls 21415->21416 21416->21386 21416->21394 21416->21395 21416->21396 21416->21397 21416->21398 21416->21403 21416->21406 21416->21408 21416->21409 21416->21411 21416->21415 21418 45d1e1 CreateDirectoryA 21416->21418 21417->21414 21418->21416 21420 4f232e 21419->21420 21421 4f2197 GetSystemMetrics GetSystemMetrics GetDC 21419->21421 21420->21379 21422 4f21be CreateCompatibleDC 21421->21422 21423 4f2325 GdiplusShutdown 21421->21423 21424 4f231c ReleaseDC 21422->21424 21425 4f21d0 CreateCompatibleBitmap 21422->21425 21423->21420 21424->21423 21426 4f21e4 SelectObject BitBlt GdipCreateBitmapFromHBITMAP GdipGetImageEncodersSize 21425->21426 21427 4f2313 DeleteObject 21425->21427 21428 4f22c8 GdipSaveImageToFile DeleteObject GdipDisposeImage 21426->21428 21429 4f2244 21426->21429 21427->21424 21428->21427 21430 4f22c2 21429->21430 21431 4f2253 GdipGetImageEncoders 21429->21431 21430->21428 21433 4f2267 21431->21433 21432 43c526 2 API calls 21432->21430 21433->21432 21434 444c92 21437 444c9f 21434->21437 21435 444cab 21436 444d59 21441 444d88 21436->21441 21437->21435 21437->21436 21451 447f13 21437->21451 21442 444d97 21441->21442 21443 444e3d 21442->21443 21444 444daa 21442->21444 21445 443f08 5 API calls 21443->21445 21446 444dc7 21444->21446 21447 444dee 21444->21447 21449 444d6a 21445->21449 21448 443f08 5 API calls 21446->21448 21447->21449 21456 43ce2f 21447->21456 21448->21449 21460 444eea 21451->21460 21453 447f30 21454 4458aa __wsopen_s 2 API calls 21453->21454 21455 447f3a 21454->21455 21455->21436 21457 43ce43 21456->21457 21458 43cc87 2 API calls 21457->21458 21459 43ce58 21458->21459 21459->21449 21463 444ef7 21460->21463 21461 444f22 RtlAllocateHeap 21462 444f35 21461->21462 21461->21463 21462->21453 21463->21461 21463->21462 21464 486610 21467 486671 21464->21467 21494 486b58 21464->21494 21466 488c67 21468 4180f0 2 API calls 21466->21468 21470 414090 2 API calls 21467->21470 21469 488d10 21468->21469 21471 4119d0 2 API calls 21469->21471 21475 48682b 21470->21475 21472 488d1e 21471->21472 21473 4180f0 2 API calls 21472->21473 21474 488dc8 21473->21474 21476 415690 2 API calls 21474->21476 21478 489357 21475->21478 21479 4036f0 2 API calls 21475->21479 21482 486877 21475->21482 21480 488de4 21476->21480 21479->21482 21481 4868e7 21546 4180f0 21481->21546 21495 4cc610 21482->21495 21484 4869c3 21485 4119d0 2 API calls 21484->21485 21486 4869cf 21485->21486 21552 411590 21486->21552 21561 49d110 21494->21561 21496 4cc66a 21495->21496 21497 4180f0 2 API calls 21496->21497 21498 4cc741 21497->21498 21499 4cc75f SHGetFolderPathA 21498->21499 21500 4cc799 21499->21500 21501 4cc7c0 21500->21501 21502 4ccb72 21500->21502 21504 414090 2 API calls 21501->21504 21503 4034e0 2 API calls 21502->21503 21507 4ccb61 21503->21507 21505 4cc7d1 21504->21505 21506 4d0620 11 API calls 21505->21506 21522 4cc7df 21506->21522 21508 4034e0 2 API calls 21507->21508 21509 4ccbf3 21507->21509 21508->21509 21511 4f2d70 9 API calls 21509->21511 21510 41b4a0 2 API calls 21510->21522 21513 4cccde 21511->21513 21512 4d0620 11 API calls 21512->21522 21619 4f3750 21513->21619 21515 4ccfc8 21516 4034e0 2 API calls 21515->21516 21517 4cd00a 21516->21517 21518 4186a0 6 API calls 21517->21518 21545 4cd3ea 21517->21545 21519 4cd03c 21518->21519 21521 4180f0 2 API calls 21519->21521 21520 414090 2 API calls 21520->21522 21523 4cd0ea 21521->21523 21522->21507 21522->21510 21522->21512 21522->21520 21526 4cc801 21522->21526 21524 4cd3a2 21523->21524 21526->21481 21530 41b4a0 ___std_exception_copy ___std_exception_copy 21530->21545 21537 4034e0 ___std_exception_copy ___std_exception_copy 21537->21545 21538 4f2d70 9 API calls 21538->21545 21539 4f3750 19 API calls 21539->21545 21540 4186a0 6 API calls 21540->21545 21541 413df0 ___std_exception_copy ___std_exception_copy 21541->21545 21542 415690 2 API calls 21542->21545 21543 4180f0 ___std_exception_copy ___std_exception_copy 21543->21545 21544 418320 2 API calls 21544->21545 21545->21526 21545->21530 21545->21537 21545->21538 21545->21539 21545->21540 21545->21541 21545->21542 21545->21543 21545->21544 21547 418128 21546->21547 21548 4034e0 2 API calls 21547->21548 21551 4181fc 21547->21551 21549 418183 21548->21549 21550 42df02 ___std_exception_copy 21549->21550 21549->21551 21550->21551 21551->21484 21553 4115b5 21552->21553 21559 4115e8 21552->21559 21554 42df02 ___std_exception_copy 21553->21554 21556 4115bf 21554->21556 21555 415c20 2 API calls 21559->21555 21560 411628 21559->21560 21562 49d146 21561->21562 21563 4180f0 2 API calls 21562->21563 21567 49d24b 21563->21567 21564 49d30f RegOpenKeyExA 21565 49d347 21564->21565 21564->21567 21568 49d361 RegEnumKeyA 21565->21568 21566 4036f0 2 API calls 21566->21567 21567->21564 21567->21566 21569 49eee4 21567->21569 21580 49eefd 21567->21580 21570 49eeb1 RegCloseKey 21568->21570 21571 49d385 RegOpenKeyExA 21568->21571 21569->21466 21570->21567 21617 49d3a4 21571->21617 21572 49ee86 RegEnumKeyA 21572->21570 21572->21571 21573 49d436 RegQueryValueExA 21574 49ee64 RegCloseKey 21573->21574 21573->21617 21574->21617 21575 49d6b8 RegQueryValueExA 21576 49d7b2 RegQueryValueExA 21575->21576 21575->21617 21577 49d8f3 RegQueryValueExA 21576->21577 21576->21617 21578 49d9e0 RegQueryValueExA 21577->21578 21577->21617 21579 49dacd RegQueryValueExA 21578->21579 21578->21617 21581 49dbba RegQueryValueExA 21579->21581 21579->21617 21580->21580 21582 4034e0 2 API calls 21580->21582 21588 49f76e 21580->21588 21581->21617 21585 49f06a 21582->21585 21583 413df0 2 API calls 21583->21577 21584 413df0 ___std_exception_copy ___std_exception_copy 21584->21617 21587 41b4a0 2 API calls 21585->21587 21593 49f1a4 21585->21593 21586 4d1240 7 API calls 21586->21617 21587->21593 21588->21466 21589 4034e0 2 API calls 21589->21593 21590 42df02 ___std_exception_copy 21590->21617 21591 4a0020 21592 4a0052 CreateFileA 21591->21592 21595 4a00bb GetFileSize 21592->21595 21604 4a072b 21592->21604 21593->21588 21593->21589 21593->21591 21600 49fa5a 21593->21600 21596 4a00cd 21595->21596 21599 4a00e0 ReadFile 21596->21599 21597 49fe94 21597->21591 21598 4a0000 21597->21598 21598->21466 21601 4a0122 CloseHandle 21599->21601 21602 4a0100 CloseHandle 21599->21602 21600->21591 21600->21597 21638 403300 21600->21638 21601->21604 21608 4a0166 21601->21608 21603 4a010c 21602->21603 21603->21466 21604->21466 21605 4036f0 2 API calls 21605->21608 21606 4034e0 ___std_exception_copy ___std_exception_copy 21606->21617 21607 403300 2 API calls 21607->21608 21608->21604 21608->21605 21608->21607 21610 4a06b3 21608->21610 21609 4a070b 21609->21604 21611 413df0 2 API calls 21609->21611 21610->21609 21613 403300 2 API calls 21610->21613 21611->21604 21612 414090 ___std_exception_copy ___std_exception_copy 21612->21617 21613->21610 21614 411940 ___std_exception_copy ___std_exception_copy 21614->21617 21615 4180f0 2 API calls 21615->21617 21616 4119d0 2 API calls 21616->21617 21617->21572 21617->21573 21617->21574 21617->21575 21617->21577 21617->21580 21617->21583 21617->21584 21617->21586 21617->21590 21617->21606 21617->21612 21617->21614 21617->21615 21617->21616 21618 415690 2 API calls 21617->21618 21618->21617 21620 4f3849 21619->21620 21621 437e86 5 API calls 21620->21621 21624 4f38c2 21620->21624 21622 4f385f 21621->21622 21623 433c3b 3 API calls 21622->21623 21625 4f3868 21623->21625 21624->21515 21626 437e86 5 API calls 21625->21626 21627 4f3879 21626->21627 21628 416930 2 API calls 21627->21628 21629 4f3883 21627->21629 21628->21629 21630 43c92f __fread_nolock 9 API calls 21629->21630 21639 403318 21638->21639 21640 403339 21638->21640 21639->21600 21641 4036f0 2 API calls 21640->21641 21642 40337e 21640->21642 21641->21642 21642->21600 21643 44089f 21644 4408a8 21643->21644 21645 4408ab 21643->21645 21646 4408b7 21645->21646 21647 4408c3 21645->21647 21648 4458aa __wsopen_s 2 API calls 21646->21648 21656 4409d6 21647->21656 21651 4408bd 21648->21651 21652 4458aa __wsopen_s 2 API calls 21653 4408e7 21652->21653 21654 4458aa __wsopen_s 2 API calls 21653->21654 21655 4408ed 21654->21655 21657 4409f5 21656->21657 21658 444eea RtlAllocateHeap 21657->21658 21659 440a35 21658->21659 21660 440a3d 21659->21660 21666 440a47 21659->21666 21662 4458aa __wsopen_s 2 API calls 21660->21662 21661 440abc 21663 4458aa __wsopen_s 2 API calls 21661->21663 21672 4408ca 21662->21672 21663->21672 21664 444eea RtlAllocateHeap 21664->21666 21665 440acc 21667 4458aa __wsopen_s 2 API calls 21665->21667 21666->21661 21666->21664 21666->21665 21668 440ae7 21666->21668 21670 4458aa __wsopen_s 2 API calls 21666->21670 21669 440ada 21667->21669 21671 4458aa __wsopen_s 2 API calls 21669->21671 21670->21666 21671->21672 21672->21652 21684 447223 21685 447248 21684->21685 21689 447230 21684->21689 21686 4472a7 21685->21686 21687 447f13 3 API calls 21685->21687 21685->21689 21690 443087 21686->21690 21687->21686 21692 443093 21690->21692 21691 44309b 21691->21689 21692->21691 21693 4431a0 __fread_nolock 9 API calls 21692->21693 21693->21691 21934 40bbaa 21935 40bbaf 21934->21935 21936 4f2d70 9 API calls 21935->21936 21937 40bc96 21936->21937 21938 4f2870 13 API calls 21937->21938 21939 40be21 21937->21939 21938->21939 21940 40bf0a CreateDirectoryA 21939->21940 21941 40bf15 21940->21941 21942 40c499 CreateDirectoryA 21941->21942 21943 40c4a4 21942->21943 21944 40c7c9 21942->21944 21945 40c88a CreateDirectoryA 21944->21945 21946 40c895 21945->21946 21947 40cc52 21945->21947 21948 40cd13 CreateDirectoryA 21947->21948 21949 40d24d 21948->21949 21952 40cd1e 21948->21952 21950 40d32f CreateDirectoryA 21949->21950 21951 40d33c 21950->21951 21953 4f2870 13 API calls 21951->21953 21959 40de86 21951->21959 21954 414090 2 API calls 21952->21954 21953->21959 21955 40cea5 21954->21955 21956 4d0620 11 API calls 21955->21956 21964 40ceb4 21956->21964 21957 4f2870 13 API calls 21957->21949 21958 414090 2 API calls 21958->21964 21960 410626 21959->21960 21961 40dfb3 CreateDirectoryA 21959->21961 21962 410748 CreateDirectoryA 21960->21962 21963 410755 21960->21963 21961->21960 21965 40dfc0 21961->21965 21962->21963 21964->21958 21966 40d0fa 21964->21966 21973 40d238 21964->21973 21967 40e083 CreateDirectoryA 21965->21967 21966->21964 21971 40d1d9 CopyFileA 21966->21971 21968 40e090 21967->21968 21969 40e397 21967->21969 21970 40e456 CreateDirectoryA 21969->21970 21972 40e463 21970->21972 21971->21966 21974 40e791 CreateDirectoryA 21972->21974 21973->21949 21973->21957 21975 40e960 21974->21975 21979 40e79e 21974->21979 21976 40ea46 CreateDirectoryA 21975->21976 21977 40f9f6 21976->21977 21986 40ea53 21976->21986 21978 40fac7 CreateDirectoryA 21977->21978 21980 4f2cd0 4 API calls 21979->21980 21981 40e921 21980->21981 21984 414090 2 API calls 21981->21984 21992 40e94e 21981->21992 21990 4f2cd0 4 API calls 21986->21990 21992->21975 22170 4e35a0 GetLastError 22171 4e3715 CopyFileA 22170->22171 22175 4e35d7 22170->22175 22172 4e372a GetLastError 22171->22172 22173 4e3749 22171->22173 22172->22173 22174 4e3735 22172->22174 22176 4e373c CopyFileA 22174->22176 22177 4e3610 RmStartSession 22175->22177 22176->22173 22178 4e36f6 RmEndSession SetLastError 22177->22178 22179 4e3630 22177->22179 22180 416470 22178->22180 22181 4e363c RmRegisterResources 22179->22181 22180->22171 22182 4e36a8 22181->22182 22183 4e3663 RmGetList 22181->22183 22185 4e36d8 22182->22185 22187 4e375c 22182->22187 22184 4e368b 22183->22184 22184->22182 22186 4e3699 RmShutdown 22184->22186 22185->22178 22186->22182 22188 4e37a5 RmStartSession 22187->22188 22189 4e387c RmEndSession SetLastError 22188->22189 22190 4e37c1 22188->22190 22191 4e3894 22189->22191 22192 4e37cd RmRegisterResources 22190->22192 22193 4e3841 22192->22193 22194 4e37f4 RmGetList 22192->22194 22193->22189 22197 4e3872 22193->22197 22199 4e38a6 22193->22199 22195 4e381c 22194->22195 22195->22193 22196 4e3829 RmShutdown 22195->22196 22196->22193 22197->22189 22198 4e3aed 22199->22198 22200 41b4a0 2 API calls 22199->22200 22200->22199 22397 4f9ca0 22398 4f9d14 22397->22398 22399 414090 2 API calls 22398->22399 22402 4f9d9c 22398->22402 22400 4f9d2d 22399->22400 22401 414090 2 API calls 22400->22401 22403 4f9d3f 22401->22403 22403->22402 22405 4f8d20 22403->22405 22406 4f8d5a 22405->22406 22407 4f8df9 GetLastError 22406->22407 22408 4f8db3 22406->22408 22407->22408 22410 4f8fd7 22408->22410 22411 4f8120 22408->22411 22410->22402 22412 4f8138 22411->22412 22414 4f82d4 22411->22414 22413 4036f0 2 API calls 22412->22413 22412->22414 22413->22412 22414->22410 22893 422032 22894 422013 22893->22894 22895 422604 22894->22895 22899 42254b 22894->22899 22905 422783 22894->22905 22896 415c20 2 API calls 22895->22896 22895->22905 22897 42262a 22896->22897 22898 422c32 22897->22898 22902 422641 22897->22902 22900 4036f0 2 API calls 22898->22900 22901 422b40 ___std_exception_destroy ___std_exception_destroy 22899->22901 22899->22905 22900->22905 22901->22905 22903 4036f0 2 API calls 22902->22903 22906 42267b 22903->22906 22904 422734 ___std_exception_destroy ___std_exception_destroy 22904->22905 22906->22904 22906->22905 22420 51e020 22421 51e050 22420->22421 22422 51e08e 22421->22422 22424 51e0c0 22421->22424 22433 51e480 22424->22433 22426 51e156 22426->22421 22427 51e117 22427->22426 22429 51e16c 22427->22429 22441 549220 22427->22441 22429->22426 22445 5209f0 22429->22445 22431 51e3c4 22431->22426 22432 5561f0 2 API calls 22431->22432 22432->22426 22434 51e4a9 22433->22434 22435 51e4f8 22433->22435 22434->22427 22436 5209f0 5 API calls 22435->22436 22440 51e509 22435->22440 22437 51e56f 22436->22437 22438 5561f0 2 API calls 22437->22438 22437->22440 22439 51e5e8 22438->22439 22439->22427 22440->22427 22442 549257 22441->22442 22444 549241 22441->22444 22442->22429 22444->22442 22476 549420 22444->22476 22450 520a1a 22445->22450 22447 5561f0 2 API calls 22458 52186f 22447->22458 22449 42df02 ___std_exception_copy 22449->22450 22450->22449 22463 520bc5 22450->22463 22451 5561f0 2 API calls 22452 521648 22451->22452 22453 5561f0 2 API calls 22452->22453 22454 5216c9 22452->22454 22453->22454 22455 5561f0 2 API calls 22454->22455 22456 521706 22454->22456 22455->22456 22457 5561f0 2 API calls 22456->22457 22459 521749 22456->22459 22457->22459 22458->22431 22460 5561f0 2 API calls 22459->22460 22467 52179a 22459->22467 22460->22467 22461 5561f0 RtlFreeHeap GetLastError 22461->22463 22462 5561f0 2 API calls 22464 52134a 22462->22464 22463->22461 22465 521270 22463->22465 22474 52124f 22463->22474 22475 51e480 5 API calls 22463->22475 22488 51d3c0 22463->22488 22505 557a70 22463->22505 22466 5561f0 2 API calls 22464->22466 22468 5213c1 22464->22468 22465->22462 22465->22464 22466->22468 22467->22447 22467->22458 22469 5561f0 2 API calls 22468->22469 22470 5213fe 22468->22470 22469->22470 22471 5561f0 2 API calls 22470->22471 22472 521441 22470->22472 22471->22472 22473 5561f0 2 API calls 22472->22473 22472->22474 22473->22474 22474->22451 22474->22452 22474->22467 22475->22463 22482 54b990 22476->22482 22478 549590 22478->22444 22479 54fc90 2 API calls 22480 549572 22479->22480 22480->22444 22481 549435 22481->22478 22481->22479 22484 54b9aa 22482->22484 22483 54be3c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 22487 54ba29 22483->22487 22485 54babb 22484->22485 22486 54bb3d __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 22484->22486 22484->22487 22485->22483 22485->22487 22486->22485 22487->22481 22489 51d8a0 22488->22489 22491 51d3e7 22488->22491 22489->22463 22491->22489 22512 51d8b0 22491->22512 22492 51d881 22492->22463 22493 51d8b0 4 API calls 22493->22492 22494 51d41d 22494->22492 22495 5561f0 2 API calls 22494->22495 22496 51d52e 22494->22496 22504 51d76c 22494->22504 22495->22496 22497 5561f0 2 API calls 22496->22497 22498 51d5cf 22496->22498 22497->22498 22499 5561f0 2 API calls 22498->22499 22500 51d65a 22498->22500 22499->22500 22501 5561f0 2 API calls 22500->22501 22502 51d6db 22500->22502 22501->22502 22503 5561f0 2 API calls 22502->22503 22502->22504 22503->22504 22504->22493 22506 557ecb 22505->22506 22511 557a89 22505->22511 22506->22463 22507 51d3c0 4 API calls 22507->22511 22508 557dcc 22509 5561f0 2 API calls 22508->22509 22510 557e2c 22508->22510 22509->22510 22510->22463 22511->22507 22511->22508 22511->22510 22515 51d8cd 22512->22515 22513 5561f0 2 API calls 22517 51de67 22513->22517 22514 51dabf 22527 5088a0 22514->22527 22515->22514 22518 51d8d2 22515->22518 22520 51d983 22515->22520 22517->22494 22518->22513 22518->22517 22519 51d9c5 22522 549220 4 API calls 22519->22522 22525 51dbe1 22519->22525 22520->22518 22520->22519 22521 5088a0 2 API calls 22520->22521 22523 51da4b 22521->22523 22522->22519 22523->22519 22524 5561f0 2 API calls 22523->22524 22524->22519 22525->22518 22526 5561f0 2 API calls 22525->22526 22526->22525 22531 5088d6 22527->22531 22528 508cc2 22528->22519 22529 5561f0 2 API calls 22538 508ae4 22529->22538 22530 508a92 22534 509410 2 API calls 22530->22534 22531->22528 22535 5089ef 22531->22535 22539 50898e 22531->22539 22548 509410 22531->22548 22532 508ab5 22532->22529 22533 509410 2 API calls 22533->22530 22534->22532 22537 5561f0 2 API calls 22535->22537 22535->22539 22537->22539 22540 5561f0 2 API calls 22538->22540 22542 508b8c 22538->22542 22539->22530 22539->22532 22539->22533 22540->22542 22541 5561f0 2 API calls 22543 508bd9 22541->22543 22542->22541 22542->22543 22544 5561f0 2 API calls 22543->22544 22545 508c12 22543->22545 22544->22545 22546 5561f0 2 API calls 22545->22546 22547 508c81 22545->22547 22546->22545 22547->22519 22549 509423 22548->22549 22551 509486 22549->22551 22552 5095c0 22549->22552 22551->22531 22554 509620 22552->22554 22556 509612 22552->22556 22553 5097f0 22553->22554 22555 542fa0 2 API calls 22553->22555 22554->22549 22555->22554 22556->22553 22556->22554 22558 542fa0 22556->22558 22559 542fac 22558->22559 22562 555dc0 22559->22562 22561 542fc4 22561->22556 22563 555dd5 22562->22563 22570 555e5b 22562->22570 22564 555ebe 22563->22564 22566 555dd9 22563->22566 22568 555e4d 22563->22568 22565 555ec7 22564->22565 22572 556050 22564->22572 22565->22561 22566->22561 22569 5561f0 2 API calls 22568->22569 22568->22570 22570->22561 22577 41d6b5 22578 403300 2 API calls 22577->22578 22579 41d6c1 22578->22579 22580 4b36b0 22581 414090 2 API calls 22580->22581 22582 4b36de 22581->22582 22583 414090 2 API calls 22582->22583 22585 4b36ee 22583->22585 22584 4b3788 22585->22584 22586 4b382c SHGetFolderPathA 22585->22586 22587 4b3860 22586->22587 22587->22587 22588 41b4a0 2 API calls 22587->22588 22608 4b4d39 22587->22608 22589 4b389f 22588->22589 22590 414090 2 API calls 22589->22590 22594 4b3c49 22589->22594 22591 4b38e1 22590->22591 22592 4d0620 11 API calls 22591->22592 22625 4b38f0 22592->22625 22593 4f3750 19 API calls 22595 4b3ded 22593->22595 22594->22593 22596 4186a0 6 API calls 22595->22596 22604 4b41f5 22595->22604 22598 4b3e47 22596->22598 22597 41b4a0 2 API calls 22597->22625 22599 4180f0 2 API calls 22598->22599 22600 4b3ef5 22599->22600 22602 4b41ad 22600->22602 22605 4180f0 2 API calls 22600->22605 22601 4b4319 22607 41b4a0 2 API calls 22601->22607 22601->22608 22603 415690 2 API calls 22602->22603 22603->22604 22604->22601 22604->22608 22612 41b4a0 2 API calls 22604->22612 22606 4b3fa5 22605->22606 22609 4180f0 2 API calls 22606->22609 22611 4b4482 22607->22611 22614 414090 2 API calls 22608->22614 22615 4b3912 22608->22615 22613 4b404a 22609->22613 22610 4d0620 11 API calls 22610->22625 22618 4f3750 19 API calls 22611->22618 22612->22601 22613->22602 22617 4180f0 2 API calls 22613->22617 22616 4b5f56 22614->22616 22619 4f3750 19 API calls 22616->22619 22620 4b40fa 22617->22620 22627 4b44c1 22618->22627 22621 4b5f61 22619->22621 22622 4180f0 2 API calls 22620->22622 22623 4b419f 22622->22623 22624 418320 2 API calls 22623->22624 22624->22602 22625->22594 22625->22597 22625->22608 22625->22610 22625->22615 22626 414090 2 API calls 22625->22626 22626->22625 22627->22608 22628 41a800 6 API calls 22627->22628 22629 4b466f 22628->22629 22629->22608 22629->22629 22630 4034e0 2 API calls 22629->22630 22631 4b47f3 22630->22631 22631->22608 22632 42df02 ___std_exception_copy 22631->22632 22633 4b4856 22631->22633 22632->22633 22634 4180f0 2 API calls 22633->22634 22646 4b4c9c 22633->22646 22636 4b4a04 22634->22636 22635 415690 2 API calls 22637 4b4d0e 22635->22637 22638 4180f0 2 API calls 22636->22638 22637->22608 22639 413df0 2 API calls 22637->22639 22640 4b4ad9 22638->22640 22639->22608 22640->22646 22646->22635 22912 421f3c 22913 421f4b 22912->22913 22914 421f8f 22913->22914 22917 421f7d 22913->22917 22918 422804 22913->22918 22915 415c20 2 API calls 22914->22915 22915->22917 22916 422641 22919 4036f0 2 API calls 22916->22919 22917->22916 22920 422604 22917->22920 22925 42254b 22917->22925 22930 422783 22917->22930 22921 4228cc ___std_exception_destroy ___std_exception_destroy 22918->22921 22918->22930 22928 42267b 22919->22928 22922 415c20 2 API calls 22920->22922 22920->22930 22921->22925 22921->22930 22923 42262a 22922->22923 22923->22916 22927 422c32 22923->22927 22924 422b40 ___std_exception_destroy ___std_exception_destroy 22924->22930 22925->22924 22925->22930 22926 422734 ___std_exception_destroy ___std_exception_destroy 22926->22930 22929 4036f0 2 API calls 22927->22929 22928->22926 22928->22930 22929->22930

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 0045578C Relevance: 82.6, APIs: 39, Strings: 6, Instructions: 3900sleeplibraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 0 45578c-455791 1 455a65-458d42 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z call 4f0b00 call 4f6620 call 417f00 call 418040 call 4081e0 call 4031c0 * 2 call 4d3280 call 413f70 call 403420 call 42f8b0 call 403260 * 10 call 410f30 call 410c00 call 42e2a7 call 418e00 OutputDebugStringA call 4d20b0 call 4116a0 call 4d1f60 call 403260 * 3 call 411510 call 4114a0 call 415520 call 4f60d0 0->1 2 455797-45588b call 417f70 call 403420 CreateMutexA call 4031c0 GetLastError 0->2 121 45a1a7-45a1ae 1->121 122 458d48-458f77 call 4d2120 call 4d2040 call 4d1fd0 call 48a680 call 489370 call 410e60 OutputDebugStringA call 410e60 CreateThread * 2 call 408980 call 4a2ee0 1->122 15 455891-45589c 2->15 16 45a569-45a598 call 4031c0 * 3 2->16 18 4558a0-4558aa Sleep 15->18 38 45a59f-45a5b2 call 4031c0 16->38 39 45a59a call 4040b0 16->39 18->18 21 4558ac-455981 call 403260 call 4d2190 18->21 36 455994-4559bb shutdown closesocket WSACleanup 21->36 37 455983-455992 Sleep 21->37 41 4559c0-4559cc GetPEB 36->41 37->36 37->37 39->38 45 4559d0-4559e6 41->45 48 455a38-455a3a 45->48 49 4559e8-4559ed 45->49 48->45 49->48 51 4559ef-4559f5 49->51 53 4559f7-455a0d 51->53 55 455a2d-455a36 53->55 56 455a0f 53->56 55->48 55->53 58 455a10-455a23 56->58 58->58 60 455a25-455a2b 58->60 60->55 62 455a3c-455a60 60->62 62->1 62->41 124 45a1b4-45a1b9 121->124 125 45a23c-45a284 call 4031c0 * 3 call 410cb0 call 410d10 call 4031c0 121->125 122->121 124->125 128 45a1bf-45a235 call 4119d0 * 6 call 414090 call 4d7e10 124->128 164 45a290-45a2a6 OutputDebugStringA 125->164 165 45a28b call 4031c0 125->165 128->125 182 45a237 call 4dd9d0 128->182 168 45a2ac-45a2ae 164->168 169 45a52a 164->169 165->164 168->169 173 45a2b4-45a32a call 4119d0 * 6 call 414090 call 4d7e10 168->173 172 45a530-45a558 Sleep shutdown closesocket 169->172 172->16 174 45a55a-45a55c 172->174 173->169 199 45a330-45a424 call 417f70 call 403420 CreateMutexA call 4031c0 GetLastError 173->199 174->16 178 45a55e 174->178 183 45a560-45a567 Sleep 178->183 182->125 183->183 199->16 206 45a42a-45a50c Sleep call 403260 call 4d2190 199->206 211 45a521-45a528 206->211 212 45a50e 206->212 211->172 213 45a510-45a51f Sleep 212->213 213->211 213->213
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0045586E
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00455880
                                                                                                                                                                  • Sleep.KERNEL32(00000529), ref: 004558A5
                                                                                                                                                                  • Sleep.KERNEL32(0000002F), ref: 00455985
                                                                                                                                                                  • shutdown.WS2_32(00000002), ref: 004559A3
                                                                                                                                                                  • closesocket.WS2_32 ref: 004559AF
                                                                                                                                                                  • WSACleanup.WS2_32 ref: 004559B5
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00455A77
                                                                                                                                                                  • Sleep.KERNELBASE(00000065), ref: 00455CD9
                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00455D96
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004567CD
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 004567DB
                                                                                                                                                                  • OutputDebugStringA.KERNELBASE(Dk43l_dwmk438*,?,00000018,0000000A,Function_000031C0,?,?,?,?,?,?,?,?,?,?), ref: 004567EF
                                                                                                                                                                  • OutputDebugStringA.KERNELBASE(ewetwertyer eytdryrtdy,?,?), ref: 004569BE
                                                                                                                                                                  • OutputDebugStringA.KERNEL32(td ydrthrhfty,?,?,?,?,?,?,?), ref: 00456F72
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep$DebugOutputString$AddressCleanupCreateCurrentErrorLastMutexProcProcessUnothrow_t@std@@@__ehfuncinfo$??2@closesocketshutdown
                                                                                                                                                                  • String ID: 43t res tgy45yfhyrt$Dk43l_dwmk438*$er ert 346 34634 6ch$ewetwertyer eytdryrtdy$ntdll.dll$td ydrthrhfty
                                                                                                                                                                  • API String ID: 3261302857-3574556348
                                                                                                                                                                  • Opcode ID: e2264d598bb945190a8d28aa9f3342592530cff6afa120e4bdadfad501149194
                                                                                                                                                                  • Instruction ID: b7004e79db67d020d65fac00f85910b7803af71aabf98f32d17772c606b18a4d
                                                                                                                                                                  • Opcode Fuzzy Hash: e2264d598bb945190a8d28aa9f3342592530cff6afa120e4bdadfad501149194
                                                                                                                                                                  • Instruction Fuzzy Hash: 74A302B45083818FC335CF19C491AABBBE1BFD8344F54495EE8899B352DB34A949CF86
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00453C30 Relevance: 68.1, APIs: 33, Strings: 5, Instructions: 1568sleepCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 214 453c30-453cfe call 42efb0 Sleep call 4e2fa0 call 403420 call 43bb47 call 4f80f0 call 433e2c call 430240 call 4031b0 call 403420 call 42fcc0 call 4031b0 call 403420 call 42fcc0 call 403420 243 453d01-453d06 214->243 243->243 244 453d08-453d43 call 403420 call 4032a0 call 413fa0 call 4031c0 call 403420 243->244 255 453d46-453d4b 244->255 255->255 256 453d4d-453d8b call 403420 call 4032a0 call 413fa0 call 4031c0 call 403420 255->256 267 453d90-453d95 256->267 267->267 268 453d97-454e07 call 403420 call 4032a0 call 413fa0 call 4031c0 GetCurrentProcess SetPriorityClass SetUnhandledExceptionFilter call 45a5c0 SetThreadExecutionState call 4f80f0 call 433e2c LoadLibraryA call 430240 GetModuleFileNameA call 403260 call 414090 call 4f3350 call 4031b0 call 416680 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z * 2 GetProcessId call 413b90 * 5 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z SetThreadExecutionState GetPEB 267->268 320 454e10-454e33 268->320 321 454e35-454e3a 320->321 322 454e88-454e8a 320->322 321->322 323 454e3c-454e42 321->323 322->320 324 454e44-454e5b 323->324 325 454e7d-454e86 324->325 326 454e5d 324->326 325->322 325->324 327 454e60-454e73 326->327 327->327 328 454e75-454e7b 327->328 328->325 329 454e8c-4551a0 LoadLibraryA call 4fa570 call 413b90 CreateThread FindCloseChangeNotification 328->329 337 4551a6 329->337 338 455268-455338 call 403260 329->338 340 4551b0-4551bc GetPEB 337->340 343 455340-455349 338->343 342 4551c0-4551e3 340->342 344 4551e5-4551ea 342->344 345 455238-45523a 342->345 343->343 346 45534b-4555b1 GetTempPathA call 4f2470 call 403260 call 417fd0 call 418040 call 413fa0 call 4031c0 * 3 call 403260 call 417fd0 call 418040 call 4031c0 * 2 call 403420 call 4f2cd0 343->346 344->345 347 4551ec-4551f2 344->347 345->342 384 4555c4-4555d9 call 403420 call 4f2cd0 346->384 385 4555b3-4555c1 call 4f2870 346->385 349 4551f4-45520b 347->349 351 45522d-455236 349->351 352 45520d 349->352 351->345 351->349 354 455210-455223 352->354 354->354 356 455225-45522b 354->356 356->351 358 45523c-455262 Sleep 356->358 358->338 358->340 392 4555ee-455605 call 403420 CreateDirectoryA 384->392 393 4555db-4555eb call 4f2870 384->393 385->384 398 455607-455613 call 407b10 392->398 399 455619-45562c call 403420 CreateDirectoryA 392->399 393->392 398->399 404 45a290-45a2a6 OutputDebugStringA 398->404 405 4556ac-4556c9 call 403420 GetPEB 399->405 406 45562e-455669 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 399->406 410 45a2ac-45a2ae 404->410 411 45a52a 404->411 420 4556d0-4556f3 405->420 408 45567d-45567f 406->408 409 45566b-455677 406->409 413 455695-455698 408->413 414 455681 408->414 409->408 410->411 416 45a2b4-45a32a call 4119d0 * 6 call 414090 call 4d7e10 410->416 415 45a530-45a558 Sleep shutdown closesocket 411->415 422 4556a0-4556a7 call 407b10 413->422 414->413 421 455683-455689 414->421 417 45a569-45a598 call 4031c0 * 3 415->417 418 45a55a-45a55c 415->418 416->411 472 45a330-45a424 call 417f70 call 403420 CreateMutexA call 4031c0 GetLastError 416->472 450 45a59f-45a5b2 call 4031c0 417->450 451 45a59a call 4040b0 417->451 418->417 424 45a55e 418->424 427 4556f5-4556fa 420->427 428 455748-45574a 420->428 421->413 429 45568b-45568d 421->429 422->405 430 45a560-45a567 Sleep 424->430 427->428 433 4556fc-455702 427->433 428->420 429->422 434 45568f 429->434 430->430 437 455704-45571b 433->437 434->413 438 455691-455693 434->438 441 45573d-455746 437->441 442 45571d 437->442 438->413 438->422 441->428 441->437 445 455720-455733 442->445 445->445 448 455735-45573b 445->448 448->441 452 45574c-458d42 SetCurrentDirectoryA call 413f70 call 4df790 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z call 4f0b00 call 4f6620 call 417f00 call 418040 call 4081e0 call 4031c0 * 2 call 4d3280 call 413f70 call 403420 call 42f8b0 call 403260 * 10 call 410f30 call 410c00 call 42e2a7 call 418e00 OutputDebugStringA call 4d20b0 call 4116a0 call 4d1f60 call 403260 * 3 call 411510 call 4114a0 call 415520 call 4f60d0 448->452 451->450 563 45a1a7-45a1ae 452->563 564 458d48-458f77 call 4d2120 call 4d2040 call 4d1fd0 call 48a680 call 489370 call 410e60 OutputDebugStringA call 410e60 CreateThread * 2 call 408980 call 4a2ee0 452->564 472->417 487 45a42a-45a50c Sleep call 403260 call 4d2190 472->487 497 45a521-45a528 487->497 498 45a50e 487->498 497->415 500 45a510-45a51f Sleep 498->500 500->497 500->500 566 45a1b4-45a1b9 563->566 567 45a23c-45a284 call 4031c0 * 3 call 410cb0 call 410d10 call 4031c0 563->567 564->563 566->567 570 45a1bf-45a235 call 4119d0 * 6 call 414090 call 4d7e10 566->570 567->404 606 45a28b call 4031c0 567->606 570->567 615 45a237 call 4dd9d0 570->615 606->404 615->567
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNELBASE(00000025), ref: 00453C44
                                                                                                                                                                    • Part of subcall function 004E2FA0: __Xtime_get_ticks.LIBCPMT ref: 004E2FA1
                                                                                                                                                                    • Part of subcall function 004E2FA0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E2FAF
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00008000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001), ref: 00453DCD
                                                                                                                                                                  • SetPriorityClass.KERNELBASE(00000000), ref: 00453DD4
                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(0045A780), ref: 00453DDF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClassCurrentExceptionFilterPriorityProcessSleepUnhandledUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                                                                                                                                                  • String ID: 131$147.45.47.93:58709$43t res tgy45yfhyrt$Dk43l_dwmk438*$er ert 346 34634 6ch
                                                                                                                                                                  • API String ID: 1211644118-3950233817
                                                                                                                                                                  • Opcode ID: 8d8c02fe4a4adf820417fc490fd3e6e4d0eacc456a3f3a4f9d37f490fef82baa
                                                                                                                                                                  • Instruction ID: 58df280d1c5bcf31294a4ea42ed0208b52652377ae8c263acff41185647b5a58
                                                                                                                                                                  • Opcode Fuzzy Hash: 8d8c02fe4a4adf820417fc490fd3e6e4d0eacc456a3f3a4f9d37f490fef82baa
                                                                                                                                                                  • Instruction Fuzzy Hash: F70326B45083829FC324DF29C491AABBBE4FFD8345F40491EE98997352DB30A549CF96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004091BF Relevance: 49.3, APIs: 25, Strings: 1, Instructions: 3810COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004F2F40: GetModuleHandleA.KERNEL32(?), ref: 004F3048
                                                                                                                                                                    • Part of subcall function 004F2F40: GetProcAddress.KERNEL32(00000000,?), ref: 004F3053
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040A601
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCreateDirectoryHandleModuleProc
                                                                                                                                                                  • String ID: U5I
                                                                                                                                                                  • API String ID: 2385557062-2587217555
                                                                                                                                                                  • Opcode ID: 8c11a0b71fb49e27c04e9c61b3a7d0b6115fdaaf64288d36ff250782081a8979
                                                                                                                                                                  • Instruction ID: 4cdd386919e838af970f59fa8ac5a494f476b57722eda99af27e3df303c9e173
                                                                                                                                                                  • Opcode Fuzzy Hash: 8c11a0b71fb49e27c04e9c61b3a7d0b6115fdaaf64288d36ff250782081a8979
                                                                                                                                                                  • Instruction Fuzzy Hash: EAA3DFB4D052689BDB25CFA9D991ADDFBB0BF48304F1081DAE849B7341DB306A84CF65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0049D110 Relevance: 41.6, APIs: 18, Strings: 4, Instructions: 3107registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?,?,?,?,?,?,?,?,?), ref: 0049D33D
                                                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0049D374
                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0049D39A
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 0049D53A
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000104), ref: 0049D7A8
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 0049D895
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000003,?,?), ref: 0049D9D6
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000003,?,?), ref: 0049DAC3
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000003,?,?), ref: 0049DBB0
                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000003,?,?), ref: 0049DC9D
                                                                                                                                                                    • Part of subcall function 0042FC4B: RaiseException.KERNEL32(E06D7363,00000001,00000003,00417EFB,?,?,?,0042C598,00417EFB,005784EC,?,00417EFB), ref: 0042FCAB
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0049EE67
                                                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 0049EEA0
                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0049EEB4
                                                                                                                                                                  Strings
                                                                                                                                                                  • cannot use operator[] with a string argument with , xrefs: 0049EF75
                                                                                                                                                                  • invalid stoi argument, xrefs: 004A002F
                                                                                                                                                                  • stoi argument out of range, xrefs: 004A0025
                                                                                                                                                                  • cannot use push_back() with , xrefs: 0049EF16
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: QueryValue$CloseEnumOpen$ExceptionRaise
                                                                                                                                                                  • String ID: cannot use operator[] with a string argument with $cannot use push_back() with $invalid stoi argument$stoi argument out of range
                                                                                                                                                                  • API String ID: 2021570681-1606007317
                                                                                                                                                                  • Opcode ID: 71b2d8943ec01a9fff98d9eed412fd704d662f4c64c517adeec3da0b722de419
                                                                                                                                                                  • Instruction ID: 57cc1c8c03c56a0844d741e814d2024dbcff269c685614372db8ad591986b9b7
                                                                                                                                                                  • Opcode Fuzzy Hash: 71b2d8943ec01a9fff98d9eed412fd704d662f4c64c517adeec3da0b722de419
                                                                                                                                                                  • Instruction Fuzzy Hash: 726336B4D002689FDB25CF68C885BEEBBB5BF49304F1481EAE449A7341DB346A85CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045504E Relevance: 30.3, APIs: 16, Strings: 1, Instructions: 544sleepsynchronizationthreadCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 1891 45504e-45513d call 403260 call 414090 call 4f2560 call 412f50 1900 455171-4551a0 call 413030 CreateThread FindCloseChangeNotification 1891->1900 1901 45513f-45516c call 412f30 call 413f70 call 412f30 call 413f70 1891->1901 1906 4551a6 1900->1906 1907 455268-455338 call 403260 1900->1907 1901->1900 1910 4551b0-4551bc GetPEB 1906->1910 1915 455340-455349 1907->1915 1913 4551c0-4551e3 1910->1913 1916 4551e5-4551ea 1913->1916 1917 455238-45523a 1913->1917 1915->1915 1919 45534b-4555b1 GetTempPathA call 4f2470 call 403260 call 417fd0 call 418040 call 413fa0 call 4031c0 * 3 call 403260 call 417fd0 call 418040 call 4031c0 * 2 call 403420 call 4f2cd0 1915->1919 1916->1917 1920 4551ec-4551f2 1916->1920 1917->1913 1958 4555c4-4555d9 call 403420 call 4f2cd0 1919->1958 1959 4555b3-4555c1 call 4f2870 1919->1959 1923 4551f4-45520b 1920->1923 1925 45522d-455236 1923->1925 1926 45520d 1923->1926 1925->1917 1925->1923 1928 455210-455223 1926->1928 1928->1928 1930 455225-45522b 1928->1930 1930->1925 1932 45523c-455262 Sleep 1930->1932 1932->1907 1932->1910 1966 4555ee-455605 call 403420 CreateDirectoryA 1958->1966 1967 4555db-4555eb call 4f2870 1958->1967 1959->1958 1972 455607-455613 call 407b10 1966->1972 1973 455619-45562c call 403420 CreateDirectoryA 1966->1973 1967->1966 1972->1973 1978 45a290-45a2a6 OutputDebugStringA 1972->1978 1979 4556ac-4556c9 call 403420 GetPEB 1973->1979 1980 45562e-455669 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 1973->1980 1984 45a2ac-45a2ae 1978->1984 1985 45a52a 1978->1985 1994 4556d0-4556f3 1979->1994 1982 45567d-45567f 1980->1982 1983 45566b-455677 1980->1983 1987 455695-455698 1982->1987 1988 455681 1982->1988 1983->1982 1984->1985 1990 45a2b4-45a32a call 4119d0 * 6 call 414090 call 4d7e10 1984->1990 1989 45a530-45a558 Sleep shutdown closesocket 1985->1989 1996 4556a0-4556a7 call 407b10 1987->1996 1988->1987 1995 455683-455689 1988->1995 1991 45a569-45a598 call 4031c0 * 3 1989->1991 1992 45a55a-45a55c 1989->1992 1990->1985 2046 45a330-45a424 call 417f70 call 403420 CreateMutexA call 4031c0 GetLastError 1990->2046 2024 45a59f-45a5b2 call 4031c0 1991->2024 2025 45a59a call 4040b0 1991->2025 1992->1991 1998 45a55e 1992->1998 2001 4556f5-4556fa 1994->2001 2002 455748-45574a 1994->2002 1995->1987 2003 45568b-45568d 1995->2003 1996->1979 2004 45a560-45a567 Sleep 1998->2004 2001->2002 2007 4556fc-455702 2001->2007 2002->1994 2003->1996 2008 45568f 2003->2008 2004->2004 2011 455704-45571b 2007->2011 2008->1987 2012 455691-455693 2008->2012 2015 45573d-455746 2011->2015 2016 45571d 2011->2016 2012->1987 2012->1996 2015->2002 2015->2011 2019 455720-455733 2016->2019 2019->2019 2022 455735-45573b 2019->2022 2022->2015 2026 45574c-458d42 SetCurrentDirectoryA call 413f70 call 4df790 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z call 4f0b00 call 4f6620 call 417f00 call 418040 call 4081e0 call 4031c0 * 2 call 4d3280 call 413f70 call 403420 call 42f8b0 call 403260 * 10 call 410f30 call 410c00 call 42e2a7 call 418e00 OutputDebugStringA call 4d20b0 call 4116a0 call 4d1f60 call 403260 * 3 call 411510 call 4114a0 call 415520 call 4f60d0 2022->2026 2025->2024 2137 45a1a7-45a1ae 2026->2137 2138 458d48-458f77 call 4d2120 call 4d2040 call 4d1fd0 call 48a680 call 489370 call 410e60 OutputDebugStringA call 410e60 CreateThread * 2 call 408980 call 4a2ee0 2026->2138 2046->1991 2061 45a42a-45a50c Sleep call 403260 call 4d2190 2046->2061 2071 45a521-45a528 2061->2071 2072 45a50e 2061->2072 2071->1989 2074 45a510-45a51f Sleep 2072->2074 2074->2071 2074->2074 2140 45a1b4-45a1b9 2137->2140 2141 45a23c-45a284 call 4031c0 * 3 call 410cb0 call 410d10 call 4031c0 2137->2141 2138->2137 2140->2141 2144 45a1bf-45a235 call 4119d0 * 6 call 414090 call 4d7e10 2140->2144 2141->1978 2180 45a28b call 4031c0 2141->2180 2144->2141 2189 45a237 call 4dd9d0 2144->2189 2180->1978 2189->2141
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_000D23C0,00000000,00000000,00000000), ref: 0045518C
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00455193
                                                                                                                                                                  • Sleep.KERNELBASE(00000001), ref: 00455259
                                                                                                                                                                  • GetTempPathA.KERNEL32(000000FC,?,?), ref: 00455358
                                                                                                                                                                    • Part of subcall function 004F2CD0: GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                                                    • Part of subcall function 004F2CD0: GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                                                    • Part of subcall function 004F2870: FindFirstFileA.KERNELBASE(?,?,00588E90,?,?,?,\*.*,00000004), ref: 004F298C
                                                                                                                                                                    • Part of subcall function 004F2870: FindNextFileA.KERNELBASE(00000000,00000010), ref: 004F2B28
                                                                                                                                                                    • Part of subcall function 004F2870: FindClose.KERNEL32(00000000), ref: 004F2B38
                                                                                                                                                                    • Part of subcall function 004F2870: GetLastError.KERNEL32 ref: 004F2B3E
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00455601
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00455628
                                                                                                                                                                    • Part of subcall function 00407B10: GetFileAttributesA.KERNELBASE(?,7FFFFFFF,?,?,?,?,00000000,00558869,000000FF,?,?,00000000,00000001), ref: 00407B6A
                                                                                                                                                                    • Part of subcall function 00407B10: CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000,00558869,000000FF,?,?,00000000), ref: 00407BF2
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045563F
                                                                                                                                                                  • OutputDebugStringA.KERNELBASE(43t res tgy45yfhyrt), ref: 0045A295
                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0045A407
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0045A419
                                                                                                                                                                  • Sleep.KERNEL32(00007530), ref: 0045A435
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Create$FileFind$DirectoryErrorLast$AttributesCloseSleep$ChangeDebugFirstMutexNextNotificationOutputPathStringTempThreadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                  • String ID: 43t res tgy45yfhyrt
                                                                                                                                                                  • API String ID: 2654281156-696058833
                                                                                                                                                                  • Opcode ID: 65718216c6e2e3310af10188051baf5db18f177b0a531d1ba93266077d052d0c
                                                                                                                                                                  • Instruction ID: 9c8f78141530d7c3e3186ab54bd11a1a12a778bbd7b21b6fbf1c18c7b6f6a787
                                                                                                                                                                  • Opcode Fuzzy Hash: 65718216c6e2e3310af10188051baf5db18f177b0a531d1ba93266077d052d0c
                                                                                                                                                                  • Instruction Fuzzy Hash: 52425AB45093819FC324DF29C491AAEBBE1FFD8344F40491EE98997352DB34A949CF86
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004CC610 Relevance: 23.1, APIs: 1, Strings: 11, Instructions: 2064COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,8C8DEFFF), ref: 004CC77E
                                                                                                                                                                    • Part of subcall function 004D0620: FindFirstFileA.KERNELBASE(?,?,?,?,?,00000000,?,?), ref: 004D0771
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileFindFirstFolderPath
                                                                                                                                                                  • String ID: $r($MjL$cannot use operator[] with a string argument with $cannot use push_back() with $fGVm$fGVm$k>2$xH>$I$I$I
                                                                                                                                                                  • API String ID: 2195519125-3021718430
                                                                                                                                                                  • Opcode ID: 32a86bd4c24c49e8a54171f69fdc18cd166235fe0773a6323aa8dbcea6e36457
                                                                                                                                                                  • Instruction ID: 58fff7fa39e1a7d59a690a9eb2d20e9a3d742f11dd313cf94c949deb9fb380dd
                                                                                                                                                                  • Opcode Fuzzy Hash: 32a86bd4c24c49e8a54171f69fdc18cd166235fe0773a6323aa8dbcea6e36457
                                                                                                                                                                  • Instruction Fuzzy Hash: 5143DAB4D052688BDB65CF68C991BDDBBB5BF48304F1081DAE809BB281DB346E84CF55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F2870 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 314fileCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 2684 4f2870-4f28bc call 42d429 2687 4f2c44-4f2c46 std::_Throw_Cpp_error 2684->2687 2688 4f28c2-4f28cc 2684->2688 2689 4f2c4b-4f2c57 std::_Throw_Cpp_error 2687->2689 2688->2689 2690 4f28d2-4f290b 2688->2690 2691 4f2c5c call 403110 2689->2691 2690->2691 2692 4f2911-4f2917 2690->2692 2696 4f2c61-4f2c66 call 433500 2691->2696 2694 4f291b-4f2936 call 41b4a0 2692->2694 2695 4f2919 2692->2695 2700 4f2938-4f2944 2694->2700 2701 4f2964-4f299a FindFirstFileA 2694->2701 2695->2694 2703 4f295a-4f2961 call 42e183 2700->2703 2704 4f2946-4f2954 2700->2704 2705 4f2b98 2701->2705 2706 4f29a0-4f29a9 2701->2706 2703->2701 2704->2696 2704->2703 2708 4f2b9a-4f2ba0 2705->2708 2709 4f29b0-4f29b5 2706->2709 2711 4f2bce-4f2be6 2708->2711 2712 4f2ba2-4f2bae 2708->2712 2709->2709 2713 4f29b7-4f29c2 2709->2713 2718 4f2be8-4f2bf4 2711->2718 2719 4f2c10-4f2c43 call 42d43a 2711->2719 2714 4f2bc4-4f2bcb call 42e183 2712->2714 2715 4f2bb0-4f2bbe 2712->2715 2716 4f29cd-4f29d0 2713->2716 2717 4f29c4-4f29c7 2713->2717 2714->2711 2715->2696 2715->2714 2723 4f29e3-4f2a05 2716->2723 2724 4f29d2-4f29d5 2716->2724 2717->2716 2722 4f2b20-4f2b31 FindNextFileA 2717->2722 2725 4f2c06-4f2c0d call 42e183 2718->2725 2726 4f2bf6-4f2c04 2718->2726 2722->2706 2729 4f2b37-4f2b49 FindClose GetLastError 2722->2729 2723->2691 2732 4f2a0b-4f2a11 2723->2732 2724->2723 2731 4f29d7-4f29dd 2724->2731 2725->2719 2726->2696 2726->2725 2729->2708 2736 4f2b4b-4f2b51 2729->2736 2731->2722 2731->2723 2733 4f2a15-4f2a34 call 41b4a0 2732->2733 2734 4f2a13 2732->2734 2743 4f2a37-4f2a3c 2733->2743 2734->2733 2738 4f2b55-4f2b63 SetFileAttributesA 2736->2738 2739 4f2b53 2736->2739 2741 4f2b65-4f2b6e 2738->2741 2742 4f2b70-4f2b74 2738->2742 2739->2738 2741->2708 2744 4f2b78-4f2b81 RemoveDirectoryA 2742->2744 2745 4f2b76 2742->2745 2743->2743 2747 4f2a3e-4f2a96 call 416aa0 call 4031c0 2743->2747 2744->2705 2746 4f2b83-4f2b8c 2744->2746 2745->2744 2746->2708 2754 4f2a98-4f2aa4 2747->2754 2755 4f2ac4-4f2acb 2747->2755 2758 4f2aba-4f2ac1 call 42e183 2754->2758 2759 4f2aa6-4f2ab4 2754->2759 2756 4f2acd-4f2ae0 call 4f2870 2755->2756 2757 4f2aeb-4f2b04 SetFileAttributesA 2755->2757 2756->2708 2766 4f2ae6-4f2ae9 2756->2766 2761 4f2b8e-4f2b96 GetLastError 2757->2761 2762 4f2b0a-4f2b1e DeleteFileA 2757->2762 2758->2755 2759->2696 2759->2758 2761->2708 2762->2722 2762->2761 2766->2722
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileA.KERNELBASE(?,?,00588E90,?,?,?,\*.*,00000004), ref: 004F298C
                                                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,00588E90,?,?), ref: 004F2AFC
                                                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 004F2B16
                                                                                                                                                                  • FindNextFileA.KERNELBASE(00000000,00000010), ref: 004F2B28
                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 004F2B38
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004F2B3E
                                                                                                                                                                  • SetFileAttributesA.KERNELBASE(?,00000080), ref: 004F2B5B
                                                                                                                                                                  • RemoveDirectoryA.KERNELBASE(?), ref: 004F2B79
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004F2B8E
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 004F2C46
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 004F2C57
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$Find$AttributesCpp_errorErrorLastThrow_std::_$CloseDeleteDirectoryFirstNextRemove
                                                                                                                                                                  • String ID: \*.*
                                                                                                                                                                  • API String ID: 460640838-1173974218
                                                                                                                                                                  • Opcode ID: 466bd1c2456f9acd82312103d6d78d4e925ff4445bf50abb06e90954b34695a9
                                                                                                                                                                  • Instruction ID: 430257b0234f4d6f71ca32d924a6ee1be9a9adcf3772e337a705ae905a87183e
                                                                                                                                                                  • Opcode Fuzzy Hash: 466bd1c2456f9acd82312103d6d78d4e925ff4445bf50abb06e90954b34695a9
                                                                                                                                                                  • Instruction Fuzzy Hash: 33B14730D002089FDB24DF68CD887FEBBB5EF15314F14421AE944A7392DBB8AA85DB55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004DB860 Relevance: 21.1, APIs: 8, Strings: 3, Instructions: 1877fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000200,00000000,?,811C9DC5), ref: 004DBB97
                                                                                                                                                                  • GetUserNameA.ADVAPI32(?,00000104), ref: 004DBC19
                                                                                                                                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 004DC0BA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileName$CopyModuleUser
                                                                                                                                                                  • String ID: ;pO$vE[$vE[
                                                                                                                                                                  • API String ID: 1118875727-272748310
                                                                                                                                                                  • Opcode ID: 76ffa0bdfd6289b060e5c8fa38f4cfab54ae458c93071afb60aa7699cd088874
                                                                                                                                                                  • Instruction ID: db02d0ea7d064c082f71bd976c7465a8fd94f5b3a7ef15bcedaf019b5b27ecd6
                                                                                                                                                                  • Opcode Fuzzy Hash: 76ffa0bdfd6289b060e5c8fa38f4cfab54ae458c93071afb60aa7699cd088874
                                                                                                                                                                  • Instruction Fuzzy Hash: 8023EFB4D002589BDB29CF98C990BEDBBB1AF49314F2451DAE849B7341DB315E84CF68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045B010 Relevance: 20.2, APIs: 12, Instructions: 2241COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004091BF: CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040A601
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045B14B
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(0000000F,00000000,?,?), ref: 0045B6CD
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(0000000F,00000000,0000000F,00000000,?,?), ref: 0045B8E9
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,0000000F,00000000,?,?), ref: 0045BA77
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045C326
                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,?,?,?,?,?), ref: 0045C8B2
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?), ref: 0045C8BD
                                                                                                                                                                    • Part of subcall function 0042D43A: ReleaseSRWLockExclusive.KERNEL32(004F2D39), ref: 0042D44E
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0045C90D
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,6F2977B7,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0045CB49
                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,6F2977B7,?,?,6F2977B7,?,00000000,00000000,?,?,?,?,?,?,6F2977B7), ref: 0045D1EF
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 0045DB22
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 0045DB33
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorExclusiveFileLastLockRelease
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4067333799-0
                                                                                                                                                                  • Opcode ID: 3398877c9ae5629ba07be7d59eef0d760106e9c111d3d6159deb06be24d4748c
                                                                                                                                                                  • Instruction ID: 68c8495f6346b6796ce830d8594ba972bb16e4ec352a3aae9e85973fddee60a8
                                                                                                                                                                  • Opcode Fuzzy Hash: 3398877c9ae5629ba07be7d59eef0d760106e9c111d3d6159deb06be24d4748c
                                                                                                                                                                  • Instruction Fuzzy Hash: E1334770D042689BDB25CF68CD847EDBBB5BF49304F1082DAE849A7242DB346E89CF55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D3150 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 4007 4d3150-4d3182 WSAStartup 4008 4d3188-4d31b2 call 4f6620 * 2 4007->4008 4009 4d3256-4d325f 4007->4009 4014 4d31be-4d3204 getaddrinfo 4008->4014 4015 4d31b4-4d31b8 4008->4015 4016 4d3206-4d320c 4014->4016 4017 4d3250 WSACleanup 4014->4017 4015->4009 4015->4014 4018 4d320e 4016->4018 4019 4d3264-4d326e freeaddrinfo 4016->4019 4017->4009 4020 4d3214-4d3228 socket 4018->4020 4019->4017 4021 4d3270-4d3278 4019->4021 4020->4017 4022 4d322a-4d323a connect 4020->4022 4023 4d323c-4d3244 closesocket 4022->4023 4024 4d3260 4022->4024 4023->4020 4025 4d3246-4d324a freeaddrinfo 4023->4025 4024->4019 4025->4017
                                                                                                                                                                  APIs
                                                                                                                                                                  • WSAStartup.WS2_32 ref: 004D317A
                                                                                                                                                                  • getaddrinfo.WS2_32(?,?,?,00588CC0), ref: 004D31FC
                                                                                                                                                                  • socket.WS2_32(?,?,?), ref: 004D321D
                                                                                                                                                                  • connect.WS2_32(00000000,0055F6D1,?), ref: 004D3231
                                                                                                                                                                  • closesocket.WS2_32(00000000), ref: 004D323D
                                                                                                                                                                  • freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D324A
                                                                                                                                                                  • WSACleanup.WS2_32 ref: 004D3250
                                                                                                                                                                  • freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D3265
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 58224237-0
                                                                                                                                                                  • Opcode ID: 9e6883013388f64e9fa16a16f0073357cf9f7d6acb3b040fdaf446918f01256a
                                                                                                                                                                  • Instruction ID: 66b7f2af6e1e00109afe9fd9f1c3058fd8df4c895de65cf13c46908161227474
                                                                                                                                                                  • Opcode Fuzzy Hash: 9e6883013388f64e9fa16a16f0073357cf9f7d6acb3b040fdaf446918f01256a
                                                                                                                                                                  • Instruction Fuzzy Hash: 7731E631A047009BD7209F29DC4862BB7E5FF85735F104B5FF9A4933E0D37899489696
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00409010 Relevance: 11.5, APIs: 5, Strings: 1, Instructions: 1046COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004F2F40: GetModuleHandleA.KERNEL32(?), ref: 004F3048
                                                                                                                                                                    • Part of subcall function 004F2F40: GetProcAddress.KERNEL32(00000000,?), ref: 004F3053
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040A601
                                                                                                                                                                  Strings
                                                                                                                                                                  • cannot use operator[] with a string argument with , xrefs: 0040A47B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCreateDirectoryHandleModuleProc
                                                                                                                                                                  • String ID: cannot use operator[] with a string argument with
                                                                                                                                                                  • API String ID: 2385557062-2766135566
                                                                                                                                                                  • Opcode ID: 64d0cee5f530ed2e08766c5bcfab9cc539caee87aec487504877893d86c93f37
                                                                                                                                                                  • Instruction ID: ded7b3acff67d6fc93a9f934a04086679630f068c6daeca2e519d3ea19527e87
                                                                                                                                                                  • Opcode Fuzzy Hash: 64d0cee5f530ed2e08766c5bcfab9cc539caee87aec487504877893d86c93f37
                                                                                                                                                                  • Instruction Fuzzy Hash: 74C210B4D042689BDB25CF58C984BDDBBB0BF58304F1481DAE849B7381DB746A84CFA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F6660 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 909COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00424C30: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00424CC9
                                                                                                                                                                    • Part of subcall function 00424C30: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00424D11
                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?), ref: 004F6A45
                                                                                                                                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004F7081
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_fs_convert_narrow_to_wide@20$AttributesFileIos_base_dtorstd::ios_base::_
                                                                                                                                                                  • String ID: .zip$@G@$recursive_directory_iterator::recursive_directory_iterator$status
                                                                                                                                                                  • API String ID: 3330089674-1374571796
                                                                                                                                                                  • Opcode ID: dbecc60ade6f9cc5c517a97f52a0f8180f0e579495cfc7ae31c079beb9c3e3e9
                                                                                                                                                                  • Instruction ID: 5c112c02936b25d4fb78ed62e4cf61e9fc9cdc42541c04c932bd90300030b25b
                                                                                                                                                                  • Opcode Fuzzy Hash: dbecc60ade6f9cc5c517a97f52a0f8180f0e579495cfc7ae31c079beb9c3e3e9
                                                                                                                                                                  • Instruction Fuzzy Hash: 8482CE70D002588FDB14DF68C884BEEBBB1BF55304F1441AEE549A7292DB38AE85CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 005209F0 Relevance: 11.3, Strings: 8, Instructions: 1305COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: WITHOUT ROWID$WITHOUT ROWID$d$library routine called out of sequence$out of memory$pkU$unknown error$hU
                                                                                                                                                                  • API String ID: 0-3288033085
                                                                                                                                                                  • Opcode ID: d6ade1b6623ac6609edd131df4967f6f5a91463fcd52ce4648a594e49f9ad005
                                                                                                                                                                  • Instruction ID: 497802968e842dde83b933efc766fcc9b30b40c45d497888dbf4db774b5c934f
                                                                                                                                                                  • Opcode Fuzzy Hash: d6ade1b6623ac6609edd131df4967f6f5a91463fcd52ce4648a594e49f9ad005
                                                                                                                                                                  • Instruction Fuzzy Hash: 5CB2CF70605B52DFC728CF28E494A6BBBF1BF96304F14492DE88A97391D731E845CB86
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045A5C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156sleepCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 5402 45a5c0-45a5d3 GetCursorPos 5403 45a5d5-45a5e1 GetCursorPos 5402->5403 5404 45a5e7-45a5ed 5403->5404 5405 45a6a8-45a6b1 GetPEB 5403->5405 5404->5405 5407 45a5f3-45a5ff GetPEB 5404->5407 5406 45a6b4-45a6c8 5405->5406 5408 45a719-45a71b 5406->5408 5409 45a6ca-45a6cf 5406->5409 5410 45a600-45a614 5407->5410 5408->5406 5409->5408 5411 45a6d1-45a6d9 5409->5411 5412 45a664-45a666 5410->5412 5413 45a616-45a61b 5410->5413 5414 45a6e0-45a6f3 5411->5414 5412->5410 5413->5412 5415 45a61d-45a623 5413->5415 5416 45a6f5-45a708 5414->5416 5417 45a712-45a717 5414->5417 5418 45a625-45a638 5415->5418 5416->5416 5419 45a70a-45a710 5416->5419 5417->5408 5417->5414 5420 45a65d-45a662 5418->5420 5421 45a63a 5418->5421 5419->5417 5422 45a71d-45a742 Sleep 5419->5422 5420->5412 5420->5418 5423 45a640-45a653 5421->5423 5422->5403 5423->5423 5424 45a655-45a65b 5423->5424 5424->5420 5425 45a668-45a69a Sleep GetCursorPos 5424->5425 5425->5405 5426 45a69c-45a6a2 5425->5426 5426->5405 5427 45a747-45a758 call 4f6620 5426->5427 5430 45a75e 5427->5430 5431 45a75a-45a75c 5427->5431 5432 45a760-45a77d call 4f6620 5430->5432 5431->5432
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0045A5D3
                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0045A5D9
                                                                                                                                                                  • Sleep.KERNELBASE(000003E9,?,?,?,?,?,?,?,?,?,?,?,00453DEA), ref: 0045A688
                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 0045A68E
                                                                                                                                                                  • Sleep.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,00453DEA), ref: 0045A73A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cursor$Sleep
                                                                                                                                                                  • String ID: =E
                                                                                                                                                                  • API String ID: 1847515627-2289002813
                                                                                                                                                                  • Opcode ID: 87aaf06eb3feef4bfb938811ad3031e6b1e2923ec5a892cc3e26860d6edd803d
                                                                                                                                                                  • Instruction ID: 823f227e19ebc1f4262c84ee3b7a9e46c16cc5b48225767440be61142120e435
                                                                                                                                                                  • Opcode Fuzzy Hash: 87aaf06eb3feef4bfb938811ad3031e6b1e2923ec5a892cc3e26860d6edd803d
                                                                                                                                                                  • Instruction Fuzzy Hash: B151CC35A00215CFCB18CF58C4C4EAAB7B1FF49705F19429AD945AB312D739ED1ACB81
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004B36B0 Relevance: 10.4, APIs: 1, Strings: 4, Instructions: 1610COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004B384B
                                                                                                                                                                    • Part of subcall function 0041A800: ___std_exception_destroy.LIBVCRUNTIME ref: 0041A959
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath___std_exception_destroy
                                                                                                                                                                  • String ID: cannot use operator[] with a string argument with $I$I$I
                                                                                                                                                                  • API String ID: 3548636424-122575368
                                                                                                                                                                  • Opcode ID: dba2a0ee44e8d4b3865d9519a6f8c301ab1a7b499268f81b258f7d926f9999a8
                                                                                                                                                                  • Instruction ID: df9c875d8cc877c3b3a93ee254c84c4b376f22100dfb1a1e0afc37ba53127f04
                                                                                                                                                                  • Opcode Fuzzy Hash: dba2a0ee44e8d4b3865d9519a6f8c301ab1a7b499268f81b258f7d926f9999a8
                                                                                                                                                                  • Instruction Fuzzy Hash: 2803F0B4D002689BDB29CF68D980BDDBBB5AF49304F1481DAE449BB341DB346E85CF64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004DF790 Relevance: 9.5, APIs: 6, Instructions: 540processlibraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 5761 4df790-4df7f3 call 430240 GetModuleFileNameA 5764 4df7f6-4df7fb 5761->5764 5764->5764 5765 4df7fd-4df889 call 4034e0 5764->5765 5768 4df890-4df895 5765->5768 5768->5768 5769 4df897-4df8bd call 419950 5768->5769 5772 4dfa33 5769->5772 5773 4df8c3-4df93d 5769->5773 5774 4dfa37-4dfa3a 5772->5774 5775 4df940-4df945 5773->5775 5776 4dfa3c-4dfa45 5774->5776 5777 4dfa61-4dfa6c 5774->5777 5775->5775 5778 4df947-4df96d call 419950 5775->5778 5779 4dfa57-4dfa5e call 42e183 5776->5779 5780 4dfa47-4dfa55 5776->5780 5778->5772 5785 4df973-4df9fc 5778->5785 5779->5777 5780->5779 5782 4dfa6d-4dfae1 call 433500 call 430240 5780->5782 5794 4dfaea 5782->5794 5795 4dfae3-4dfae8 5782->5795 5788 4dfa00-4dfa05 5785->5788 5788->5788 5791 4dfa07-4dfa31 call 419950 5788->5791 5791->5772 5791->5774 5797 4dfaef-4dfc13 call 4f6620 GetModuleHandleA GetProcAddress 5794->5797 5795->5797 5800 4dfc1a-4dfc50 call 4f6620 CreateProcessA 5797->5800 5801 4dfc15 5797->5801 5804 4dfd0e-4dfd14 5800->5804 5805 4dfc56-4dfc78 call 4f6620 GetPEB 5800->5805 5801->5800 5806 4dfd3e-4dfd50 5804->5806 5807 4dfd16-4dfd22 5804->5807 5814 4dfc80-4dfc94 5805->5814 5809 4dfd34-4dfd3b call 42e183 5807->5809 5810 4dfd24-4dfd32 5807->5810 5809->5806 5810->5809 5812 4dfd51-4dfd9e call 433500 5810->5812 5822 4dfda0 5812->5822 5823 4dfda2-4dfdbe MultiByteToWideChar 5812->5823 5817 4dfce7-4dfce9 5814->5817 5818 4dfc96-4dfc9b 5814->5818 5817->5814 5818->5817 5819 4dfc9d-4dfca3 5818->5819 5821 4dfca5-4dfcba 5819->5821 5824 4dfcdd-4dfce5 5821->5824 5825 4dfcbc 5821->5825 5822->5823 5826 4dfdc0-4dfdf4 call 4164d0 5823->5826 5827 4dfe33-4dfe54 5823->5827 5824->5817 5824->5821 5828 4dfcc0-4dfcd3 5825->5828 5834 4dfdf8-4dfe31 MultiByteToWideChar 5826->5834 5835 4dfdf6 5826->5835 5830 4dfe57-4dfe6b 5827->5830 5828->5828 5831 4dfcd5-4dfcdb 5828->5831 5831->5824 5833 4dfceb-4dfd0a 5831->5833 5833->5804 5834->5830 5835->5834
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000200,?,?,811C9DC5), ref: 004DF7D2
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?), ref: 004DFBF1
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004DFBFC
                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004DFC4C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Module$AddressCreateFileHandleNameProcProcess
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 347136680-0
                                                                                                                                                                  • Opcode ID: 1114ed769da3d7834aeeed2b80c93af95e2cbb04c664a99da593df4f1207dd32
                                                                                                                                                                  • Instruction ID: 1c398614b8e40d06d673246c6905bd3bbdd575ff32f9acac0e67e79eca0af1e2
                                                                                                                                                                  • Opcode Fuzzy Hash: 1114ed769da3d7834aeeed2b80c93af95e2cbb04c664a99da593df4f1207dd32
                                                                                                                                                                  • Instruction Fuzzy Hash: 393258B4D00249AFDB10CF98D995BEEFBB1FF48314F20425AE849AB381D7346A45CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040D468 Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 697COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 5836 40d468-40d485 call 403260 call 403420 call 4f2cd0 5843 40d48b-40d584 5836->5843 5844 40d5cf-40d5e3 call 403420 call 4f2cd0 5836->5844 5843->5844 5849 40de50-40de5a call 4f2870 5844->5849 5850 40d5e9-40d62d call 414090 call 4d0620 call 412f70 call 412f60 5844->5850 5853 40de5f 5849->5853 5870 40d633-40d748 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 5850->5870 5871 40d8bc-40d984 call 417ea0 call 403420 call 4f2cd0 5850->5871 5856 40de62-40de75 call 4031c0 5853->5856 5862 40de77-40de81 call 4f2870 5856->5862 5863 40de89-40deec call 4031c0 * 8 5856->5863 5868 40de86 5862->5868 5928 40def2-40dfba call 417ea0 call 403420 CreateDirectoryA 5863->5928 5929 41067d-410681 5863->5929 5868->5863 5919 40d88b-40d8b6 call 4031c0 call 416470 call 4031c0 5870->5919 5920 40d74e-40d881 call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 5870->5920 5893 40d98a-40da57 call 417ea0 call 403420 CreateDirectoryA 5871->5893 5894 40da5f 5871->5894 5897 40da65 5893->5897 5915 40da59-40da5d 5893->5915 5894->5897 5901 40da69-40da6e 5897->5901 5906 40da70-40da7c call 4031c0 5901->5906 5907 40da81-40da85 5901->5907 5906->5907 5912 40db69-40db8f call 49b950 5907->5912 5913 40da8b-40db5f call 417ea0 call 414090 call 4ec100 5907->5913 5926 40de25-40de4e call 416210 call 4031c0 call 416210 5912->5926 5927 40db95-40dcfa call 417ea0 call 403420 call 4340b0 5912->5927 5913->5912 5953 40db61-40db65 5913->5953 5915->5901 5919->5870 5919->5871 5920->5919 5996 40d883-40d887 5920->5996 5926->5849 5926->5856 5977 40dd00-40dd20 5927->5977 5978 40de12-40de20 call 4031c0 5927->5978 5960 40dfc0-40e08a call 417ea0 call 403420 CreateDirectoryA 5928->5960 5961 41066b-410678 call 4031c0 5928->5961 5931 410687-41074f call 417ea0 call 403420 CreateDirectoryA 5929->5931 5932 410b5c-410b6e 5929->5932 5969 410b51-410b57 call 4031c0 5931->5969 5970 410755-410872 5931->5970 5953->5912 5989 40e090-40e209 5960->5989 5990 40e397-40e45d call 417ea0 call 403420 CreateDirectoryA 5960->5990 5961->5929 5969->5932 5970->5969 5982 40dd26 5977->5982 5983 40de07-40de0f call 437938 5977->5983 5978->5926 5987 40dd28-40ddd0 call 403420 call 403770 5982->5987 5983->5978 5999 40ddd5-40ddfb 5987->5999 6003 40e6d2-40e798 call 417ea0 call 403420 CreateDirectoryA 5990->6003 6004 40e463-40e55c 5990->6004 5996->5919 5999->5987 6001 40de01 5999->6001 6001->5983 6009 40e987-40ea4d call 417ea0 call 403420 CreateDirectoryA 6003->6009 6010 40e79e-40e923 call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 6003->6010 6004->6003 6019 40ea53-40ebdc call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 6009->6019 6020 40fa08-40face call 417ea0 call 403420 CreateDirectoryA 6009->6020 6046 40e925-40e95e call 414090 * 2 call 4ec100 6010->6046 6047 40e966-40e970 call 4f2870 6010->6047 6081 40ebe2-40ecaa call 417ea0 call 403420 call 4f2cd0 6019->6081 6082 40f9e7-40f9f1 call 4f2870 6019->6082 6035 40fad4-40fc8e call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 6020->6035 6036 4100ee-4101b4 call 417ea0 call 403420 CreateDirectoryA 6020->6036 6125 40fc94-40fda2 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 6035->6125 6126 4100bc-4100c6 call 4f2870 6035->6126 6056 410611-410615 6036->6056 6057 4101ba-41026a call 4034c0 6036->6057 6046->6047 6093 40e960-40e964 6046->6093 6059 40e975 6047->6059 6067 410617-410621 call 4f2870 6056->6067 6068 410629-410666 call 4031c0 * 6 6056->6068 6078 410270-410275 6057->6078 6065 40e978-40e982 call 4031c0 6059->6065 6065->6009 6076 410626 6067->6076 6068->5961 6076->6068 6078->6078 6085 410277-410339 call 4034e0 call 43cc71 6078->6085 6112 40ecb0-40ed7b call 417ea0 call 403420 CreateDirectoryA 6081->6112 6113 40ed7d 6081->6113 6089 40f9f6-40fa03 call 4031c0 6082->6089 6110 410340-410345 6085->6110 6089->6020 6093->6065 6110->6110 6115 410347-410387 call 41c4c0 call 403210 call 4031c0 call 403420 call 4f2cd0 6110->6115 6112->6113 6118 40ed81-40ed86 6112->6118 6113->6118 6165 4105f0-4105fa call 4f2870 6115->6165 6166 41038d-410446 call 417ea0 call 4f2d70 6115->6166 6123 40ed88-40ed94 call 4031c0 6118->6123 6124 40ed99-40ed9d 6118->6124 6123->6124 6133 40ee81-40ef80 6124->6133 6134 40eda3-40ee77 call 417ea0 call 414090 call 4ec100 6124->6134 6176 40ff60-41007b call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 6125->6176 6177 40fda8-40fe84 call 413b90 6125->6177 6136 4100cb 6126->6136 6134->6133 6162 40ee79-40ee7d 6134->6162 6143 4100ce-4100e8 call 416210 call 4031c0 6136->6143 6143->6036 6162->6133 6172 4105ff 6165->6172 6166->6165 6181 41044c-4105e8 call 417ea0 call 403420 call 417ea0 call 403420 CopyFileA call 4031c0 * 2 6166->6181 6175 410602-41060c call 4031c0 6172->6175 6175->6056 6197 410085-4100b0 call 4031c0 call 416470 call 4031c0 6176->6197 6218 41007d-410081 6176->6218 6177->6176 6187 40fe8a-40ff5a call 413b90 6177->6187 6181->6165 6219 4105ea-4105ee 6181->6219 6187->6176 6187->6197 6197->6125 6216 4100b6-4100ba 6197->6216 6216->6126 6216->6143 6218->6197 6219->6175
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesErrorFileLast
                                                                                                                                                                  • String ID: 0
                                                                                                                                                                  • API String ID: 1799206407-4108050209
                                                                                                                                                                  • Opcode ID: 20c5174ce98549ec0c6dd1ca7c0aa0ae184400a2f8ba70ec022d77deb839179e
                                                                                                                                                                  • Instruction ID: d3553316db2c8dc36a3c53aaf8957dde30e24de572f0d1dfc5b1ab8cdc92ac15
                                                                                                                                                                  • Opcode Fuzzy Hash: 20c5174ce98549ec0c6dd1ca7c0aa0ae184400a2f8ba70ec022d77deb839179e
                                                                                                                                                                  • Instruction Fuzzy Hash: 9F82D1B4D1526C9BDB25DFA9D881ADCFBB4BF58304F0081AAE819B7341DB346A84CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040CA55 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 509fileCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 6220 40ca55-40cb46 call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 403260 call 4f2d70 6235 40cc31-40cc3b call 4f2870 6220->6235 6236 40cb4c-40cc29 call 417ea0 call 403420 * 2 CopyFileA call 4031c0 6220->6236 6239 40cc40 6235->6239 6236->6235 6254 40cc2b-40cc2f 6236->6254 6241 40cc43-40cc49 6239->6241 6243 40cc52-40cd18 call 417ea0 call 403420 CreateDirectoryA 6241->6243 6244 40cc4d call 4031c0 6241->6244 6255 40d270-40d336 call 417ea0 call 403420 CreateDirectoryA 6243->6255 6256 40cd1e-40ced8 call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 6243->6256 6244->6243 6254->6241 6265 40de71-40de75 6255->6265 6266 40d33c-40d435 6255->6266 6294 40d23e-40d248 call 4f2870 6256->6294 6295 40cede 6256->6295 6269 40de77-40de81 call 4f2870 6265->6269 6270 40de89-40deec call 4031c0 * 8 6265->6270 6266->6265 6275 40de86 6269->6275 6313 40def2-40dfba call 417ea0 call 403420 CreateDirectoryA 6270->6313 6314 41067d-410681 6270->6314 6275->6270 6299 40d24d 6294->6299 6298 40cee0-40d012 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 6295->6298 6342 40d018-40d0f4 call 413b90 6298->6342 6343 40d0fa-40d1fd call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 6298->6343 6303 40d250-40d26a call 416210 call 4031c0 6299->6303 6303->6255 6329 40dfc0-40e08a call 417ea0 call 403420 CreateDirectoryA 6313->6329 6330 41066b-410678 call 4031c0 6313->6330 6315 410687-41074f call 417ea0 call 403420 CreateDirectoryA 6314->6315 6316 410b5c-410b6e 6314->6316 6334 410b51-410b57 call 4031c0 6315->6334 6335 410755-410872 6315->6335 6348 40e090-40e209 6329->6348 6349 40e397-40e45d call 417ea0 call 403420 CreateDirectoryA 6329->6349 6330->6314 6334->6316 6335->6334 6342->6343 6353 40d207-40d232 call 4031c0 call 416470 call 4031c0 6342->6353 6343->6353 6382 40d1ff-40d203 6343->6382 6365 40e6d2-40e798 call 417ea0 call 403420 CreateDirectoryA 6349->6365 6366 40e463-40e55c 6349->6366 6353->6298 6374 40d238-40d23c 6353->6374 6378 40e987-40ea4d call 417ea0 call 403420 CreateDirectoryA 6365->6378 6379 40e79e-40e923 call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 6365->6379 6366->6365 6374->6294 6374->6303 6390 40ea53-40ebdc call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 6378->6390 6391 40fa08-40face call 417ea0 call 403420 CreateDirectoryA 6378->6391 6417 40e925-40e95e call 414090 * 2 call 4ec100 6379->6417 6418 40e966-40e970 call 4f2870 6379->6418 6382->6353 6452 40ebe2-40ecaa call 417ea0 call 403420 call 4f2cd0 6390->6452 6453 40f9e7-40f9f1 call 4f2870 6390->6453 6406 40fad4-40fc8e call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 6391->6406 6407 4100ee-4101b4 call 417ea0 call 403420 CreateDirectoryA 6391->6407 6496 40fc94-40fda2 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 6406->6496 6497 4100bc-4100c6 call 4f2870 6406->6497 6427 410611-410615 6407->6427 6428 4101ba-41026a call 4034c0 6407->6428 6417->6418 6464 40e960-40e964 6417->6464 6430 40e975 6418->6430 6438 410617-410621 call 4f2870 6427->6438 6439 410629-410666 call 4031c0 * 6 6427->6439 6449 410270-410275 6428->6449 6436 40e978-40e982 call 4031c0 6430->6436 6436->6378 6447 410626 6438->6447 6439->6330 6447->6439 6449->6449 6456 410277-410339 call 4034e0 call 43cc71 6449->6456 6483 40ecb0-40ed7b call 417ea0 call 403420 CreateDirectoryA 6452->6483 6484 40ed7d 6452->6484 6460 40f9f6-40fa03 call 4031c0 6453->6460 6481 410340-410345 6456->6481 6460->6391 6464->6436 6481->6481 6486 410347-410387 call 41c4c0 call 403210 call 4031c0 call 403420 call 4f2cd0 6481->6486 6483->6484 6489 40ed81-40ed86 6483->6489 6484->6489 6536 4105f0-4105fa call 4f2870 6486->6536 6537 41038d-410446 call 417ea0 call 4f2d70 6486->6537 6494 40ed88-40ed94 call 4031c0 6489->6494 6495 40ed99-40ed9d 6489->6495 6494->6495 6504 40ee81-40ef80 6495->6504 6505 40eda3-40ee77 call 417ea0 call 414090 call 4ec100 6495->6505 6547 40ff60-41007b call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 6496->6547 6548 40fda8-40fe84 call 413b90 6496->6548 6507 4100cb 6497->6507 6505->6504 6533 40ee79-40ee7d 6505->6533 6514 4100ce-4100e8 call 416210 call 4031c0 6507->6514 6514->6407 6533->6504 6543 4105ff 6536->6543 6537->6536 6552 41044c-4105e8 call 417ea0 call 403420 call 417ea0 call 403420 CopyFileA call 4031c0 * 2 6537->6552 6546 410602-41060c call 4031c0 6543->6546 6546->6427 6568 410085-4100b0 call 4031c0 call 416470 call 4031c0 6547->6568 6589 41007d-410081 6547->6589 6548->6547 6558 40fe8a-40ff5a call 413b90 6548->6558 6552->6536 6590 4105ea-4105ee 6552->6590 6558->6547 6558->6568 6568->6496 6587 4100b6-4100ba 6568->6587 6587->6497 6587->6514 6589->6568 6590->6546
                                                                                                                                                                  APIs
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040CC14
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040CD14
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040D1DD
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040D332
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CopyCreateDirectoryFile
                                                                                                                                                                  • String ID: !
                                                                                                                                                                  • API String ID: 3761107634-2657877971
                                                                                                                                                                  • Opcode ID: 6e410194fcd50901128c0766d10c1e75220fdc67d70d05ee7b3424c3a4a01f65
                                                                                                                                                                  • Instruction ID: e66ea828580897357c3337ece30a7bcdfe6fa77db8e0ad74278681913a0db402
                                                                                                                                                                  • Opcode Fuzzy Hash: 6e410194fcd50901128c0766d10c1e75220fdc67d70d05ee7b3424c3a4a01f65
                                                                                                                                                                  • Instruction Fuzzy Hash: DF52E2B8D052689BDB24DF69D981ADCBBB0BF48314F1481EAE849B7341DB305E84CF55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E58B Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004F2CD0: GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                                                    • Part of subcall function 004F2CD0: GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040E794
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040EA49
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                                  • String ID: B
                                                                                                                                                                  • API String ID: 2267087916-1255198513
                                                                                                                                                                  • Opcode ID: 4675d498882eaab8bcb66d508d4128d8251963df79c65c724d9ca310621736ae
                                                                                                                                                                  • Instruction ID: 18f978b0f6646b41db9d4fa06ff2f241acb7d76137c4f260d1526695a4699fe5
                                                                                                                                                                  • Opcode Fuzzy Hash: 4675d498882eaab8bcb66d508d4128d8251963df79c65c724d9ca310621736ae
                                                                                                                                                                  • Instruction Fuzzy Hash: 385204B4D1526C9BDB25CFA9E981ADCFBB4BF48304F0081AAE919B7341D7341A84CF59
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0045A790 Relevance: 7.0, APIs: 4, Instructions: 978COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 9bbc3f51b43f695e9222ab255970085400a039c6b60fc997b3937aa89b263090
                                                                                                                                                                  • Instruction ID: 9c4df05857bd84bc3601df45bbcef84d76791ef7a0d211089cd22e916cc2e826
                                                                                                                                                                  • Opcode Fuzzy Hash: 9bbc3f51b43f695e9222ab255970085400a039c6b60fc997b3937aa89b263090
                                                                                                                                                                  • Instruction Fuzzy Hash: 63A23470C042689BDB25CF68CD84BEDBBB5AF59304F1082DAE849B7252DB345E89CF54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D0620 Relevance: 6.8, APIs: 4, Instructions: 813fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileA.KERNELBASE(?,?,?,?,?,00000000,?,?), ref: 004D0771
                                                                                                                                                                  • FindNextFileA.KERNELBASE(0000000F,00000010), ref: 004D0A36
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004D0A44
                                                                                                                                                                  • FindClose.KERNEL32(0000000F), ref: 004D0A56
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Find$File$CloseErrorFirstLastNext
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 819619735-0
                                                                                                                                                                  • Opcode ID: 80ee2970e38f4273906cd25c5a92e64dfdc436b510b4c9ae48cb12752955babb
                                                                                                                                                                  • Instruction ID: e03e187f96ff4dfc0117b7cb6e2bb59febb9782db7a0b13eee296deb0d69a62d
                                                                                                                                                                  • Opcode Fuzzy Hash: 80ee2970e38f4273906cd25c5a92e64dfdc436b510b4c9ae48cb12752955babb
                                                                                                                                                                  • Instruction Fuzzy Hash: C7827BB0D002499FDB14CFA4C9917EEBBB1FF58304F14829AD8496B342D734AA85CFA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004479BE Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00447E03,00000000,00000000,00000000), ref: 00447CC2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InformationTimeZone
                                                                                                                                                                  • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                  • API String ID: 565725191-690618308
                                                                                                                                                                  • Opcode ID: 45ed093c542864df7f6f6bfdd000931ff422ff8c2949e65a0c88095de6a35219
                                                                                                                                                                  • Instruction ID: ea3c3819e00c7610c2bdce84c30dacc5ed2750e9284a6662424918e6eb4f3f86
                                                                                                                                                                  • Opcode Fuzzy Hash: 45ed093c542864df7f6f6bfdd000931ff422ff8c2949e65a0c88095de6a35219
                                                                                                                                                                  • Instruction Fuzzy Hash: A2C13771D04115ABEB10BF65DC02ABF7BA9EF04758F64445BF900EB281EB389E42C798
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D1240 Relevance: 4.6, APIs: 3, Instructions: 116encryptionCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004D1275
                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 004D12A4
                                                                                                                                                                  • LocalFree.KERNEL32(?,?), ref: 004D1365
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLocal$CryptDataUnprotect
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2835072361-0
                                                                                                                                                                  • Opcode ID: 480f089e8aa9593477093ee309531afa414506aca0b47826191162f980436ade
                                                                                                                                                                  • Instruction ID: edacca0892e7d6bf58cfe28d189f09218ecc2b188b76278acbc21aeb1f3e2cb0
                                                                                                                                                                  • Opcode Fuzzy Hash: 480f089e8aa9593477093ee309531afa414506aca0b47826191162f980436ade
                                                                                                                                                                  • Instruction Fuzzy Hash: DD312631D001086BEB00ABA9DC857FEB779EF59314F00817BEC18B7351EB3959858BA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042C82B Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindClose.KERNEL32(000000FF,?,004209DA,?), ref: 0042C837
                                                                                                                                                                  • FindFirstFileExW.KERNELBASE(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,004209DA,?), ref: 0042C866
                                                                                                                                                                  • GetLastError.KERNEL32(?,004209DA,?), ref: 0042C878
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Find$CloseErrorFileFirstLast
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4020440971-0
                                                                                                                                                                  • Opcode ID: 86c14a02093f16810e4dd88f91deff2d5f86e2f0abe4bed8fc1f86c1b24be754
                                                                                                                                                                  • Instruction ID: 8a27f9886f01e289c274a129579c59828a859e60d8a88321f661c1881ad45666
                                                                                                                                                                  • Opcode Fuzzy Hash: 86c14a02093f16810e4dd88f91deff2d5f86e2f0abe4bed8fc1f86c1b24be754
                                                                                                                                                                  • Instruction Fuzzy Hash: B4F0B431100518BFDB103F79EC488BE3B9CEF14371B508626F969D11B1D7718965D664
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0054B990 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054BB45
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054BE47
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 885266447-0
                                                                                                                                                                  • Opcode ID: 8619c628930c15e3f64ee4185456f4c73d0beadc8a2f11204caef400f59f07bd
                                                                                                                                                                  • Instruction ID: a8910782226fa043b0ca02c89601bdb6306c66060be7ccd375e3029c486516c8
                                                                                                                                                                  • Opcode Fuzzy Hash: 8619c628930c15e3f64ee4185456f4c73d0beadc8a2f11204caef400f59f07bd
                                                                                                                                                                  • Instruction Fuzzy Hash: 0402A470604602AFEB14CF29C850BEABBE4FF88318F04866DE959C7650D774ED65CB92
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 005041A0 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ~IP
                                                                                                                                                                  • API String ID: 0-3959306736
                                                                                                                                                                  • Opcode ID: dbfb1a47ef4cf21015feb22a88fe898811b1a6b4d210efab5350a3fb83807d7f
                                                                                                                                                                  • Instruction ID: 0e36e89e1f9e1fd0a3757911ecfb7ec23bbf8a2227642b7cf3c9c86fbdf17ad5
                                                                                                                                                                  • Opcode Fuzzy Hash: dbfb1a47ef4cf21015feb22a88fe898811b1a6b4d210efab5350a3fb83807d7f
                                                                                                                                                                  • Instruction Fuzzy Hash: 4942CDB1A00649CBDB14CE78C8407ADFFA1FF46311F1886ADE5A5E7781D734994ACBA0
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043A8BD Relevance: .3, Instructions: 318COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 44be82ed036defe528c0ad6c951de0c396452293fa162e62365eb90ba0a48132
                                                                                                                                                                  • Instruction ID: 20f36868057f2dc5694f653adca667ab833700143c84c98609cf2c37f38438c9
                                                                                                                                                                  • Opcode Fuzzy Hash: 44be82ed036defe528c0ad6c951de0c396452293fa162e62365eb90ba0a48132
                                                                                                                                                                  • Instruction Fuzzy Hash: BEB1D37158060A8BCB28DE6885556BFB7A1AF0C304F142A1FD5D2A7381C73CAD65CB9B
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00506920 Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 162f077abf4ece743e342fc7a8eb5a3408877318c4d8ee47aeae2a44dea6da9b
                                                                                                                                                                  • Instruction ID: 21ea325e3d8e9dd88ad6d2e4823945e325a7d4879c9c0f24fc1850b01c051b63
                                                                                                                                                                  • Opcode Fuzzy Hash: 162f077abf4ece743e342fc7a8eb5a3408877318c4d8ee47aeae2a44dea6da9b
                                                                                                                                                                  • Instruction Fuzzy Hash: 10D19F70600B41CBE724CF39C45079ABBE0FF45314F148A6DD4EA8B781EB74A489CB91
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00506DD0 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ae081eef026d20fb71c04ac6eddb48da90b3bd952cd5193e48f6a1899cdbfde1
                                                                                                                                                                  • Instruction ID: 7a6889ae545e6ec7e5da51a817b46c2a83bd4d4ff43436e387e76d31d11313cc
                                                                                                                                                                  • Opcode Fuzzy Hash: ae081eef026d20fb71c04ac6eddb48da90b3bd952cd5193e48f6a1899cdbfde1
                                                                                                                                                                  • Instruction Fuzzy Hash: 97B1B0756087019FC720CF68C840A6BBBE5FF88324F144B2DF8AAD3690D774EA558B52
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004E35A0 Relevance: 24.5, APIs: 16, Instructions: 493fileCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 2191 4e35a0-4e35d1 GetLastError 2192 4e35d7-4e35dd 2191->2192 2193 4e3715-4e3728 CopyFileA 2191->2193 2196 4e35e0-4e35e5 2192->2196 2194 4e372a-4e3733 GetLastError 2193->2194 2195 4e3749-4e375b 2193->2195 2194->2195 2197 4e3735-4e3746 call 4f3910 CopyFileA 2194->2197 2196->2196 2198 4e35e7-4e362a call 424c30 call 430240 RmStartSession 2196->2198 2197->2195 2205 4e36f6-4e3710 RmEndSession SetLastError call 416470 2198->2205 2206 4e3630-4e3661 call 413a80 RmRegisterResources 2198->2206 2205->2193 2210 4e36a8-4e36ae 2206->2210 2211 4e3663-4e3689 RmGetList 2206->2211 2214 4e36e2-4e36f2 2210->2214 2215 4e36b0-4e36c2 2210->2215 2212 4e368b-4e3691 2211->2212 2213 4e3693-4e3697 2211->2213 2212->2210 2212->2213 2213->2210 2216 4e3699-4e36a6 RmShutdown 2213->2216 2214->2205 2217 4e36d8-4e36df call 42e183 2215->2217 2218 4e36c4-4e36d2 2215->2218 2216->2210 2217->2214 2218->2217 2219 4e375c-4e37bb call 433500 call 430240 RmStartSession 2218->2219 2226 4e387c-4e38a5 RmEndSession SetLastError call 416470 2219->2226 2227 4e37c1-4e37f2 call 413a80 RmRegisterResources 2219->2227 2232 4e3846-4e384c 2227->2232 2233 4e37f4-4e381a RmGetList 2227->2233 2232->2226 2234 4e384e-4e3860 2232->2234 2235 4e381c-4e3822 2233->2235 2236 4e3824-4e3827 2233->2236 2239 4e3872-4e3879 call 42e183 2234->2239 2240 4e3862-4e3870 2234->2240 2235->2232 2235->2236 2237 4e3829-4e383f RmShutdown 2236->2237 2238 4e3841 2236->2238 2237->2232 2238->2232 2239->2226 2240->2239 2241 4e38a6-4e390e call 433500 2240->2241 2246 4e3914-4e3919 2241->2246 2247 4e3af3 2241->2247 2249 4e3920-4e3922 2246->2249 2248 4e3af7-4e3b05 call 416210 2247->2248 2259 4e3b2f-4e3b44 2248->2259 2260 4e3b07-4e3b13 2248->2260 2250 4e3928-4e3932 2249->2250 2251 4e3a95-4e3aa0 2249->2251 2253 4e3936-4e3954 call 419950 2250->2253 2254 4e3934 2250->2254 2256 4e3aa4-4e3abe call 419950 2251->2256 2257 4e3aa2 2251->2257 2266 4e395a-4e39d0 2253->2266 2267 4e3a45 2253->2267 2254->2253 2270 4e3ac1 2256->2270 2257->2256 2263 4e3b25-4e3b2c call 42e183 2260->2263 2264 4e3b15-4e3b23 2260->2264 2263->2259 2264->2263 2268 4e3b4a-4e3b4f call 433500 2264->2268 2275 4e39d4-4e39d9 2266->2275 2274 4e3a48 2267->2274 2272 4e3aed-4e3af1 2270->2272 2273 4e3ac3-4e3ae3 2270->2273 2272->2248 2273->2247 2278 4e3ae5-4e3ae8 2273->2278 2279 4e3a4c-4e3a51 2274->2279 2275->2275 2280 4e39db-4e39e9 2275->2280 2278->2249 2281 4e3a8f-4e3a93 2279->2281 2282 4e3a53-4e3a5f 2279->2282 2283 4e39ef-4e39f3 2280->2283 2284 4e3b45 call 403110 2280->2284 2281->2270 2282->2281 2285 4e3a61-4e3a6c 2282->2285 2286 4e39f7-4e3a3d call 41b4a0 call 419950 2283->2286 2287 4e39f5 2283->2287 2284->2268 2289 4e3a6e-4e3a7c 2285->2289 2290 4e3a82-4e3a8c call 42e183 2285->2290 2286->2274 2297 4e3a3f-4e3a43 2286->2297 2287->2286 2289->2268 2289->2290 2290->2281 2297->2279
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004E35C8
                                                                                                                                                                  • RmStartSession.RSTRTMGR(?,00000000,?), ref: 004E3620
                                                                                                                                                                  • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?), ref: 004E3657
                                                                                                                                                                  • RmGetList.RSTRTMGR(?,00000000,?,?,?), ref: 004E367F
                                                                                                                                                                  • RmShutdown.RSTRTMGR(?,00000001,00000000), ref: 004E36A0
                                                                                                                                                                  • RmEndSession.RSTRTMGR(?), ref: 004E36F9
                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 004E3700
                                                                                                                                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 004E371F
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 004E372A
                                                                                                                                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 004E3742
                                                                                                                                                                  • RmStartSession.RSTRTMGR(?,00000000,?,?,00000000), ref: 004E37B1
                                                                                                                                                                  • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004E37E8
                                                                                                                                                                  • RmGetList.RSTRTMGR(?,?,?,?,?,?,00000000), ref: 004E3810
                                                                                                                                                                  • RmShutdown.RSTRTMGR(?,00000001,00000000,?,00000000), ref: 004E3830
                                                                                                                                                                  • RmEndSession.RSTRTMGR(?,?,00000000), ref: 004E387F
                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 004E3886
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastSession$CopyFileListRegisterResourcesShutdownStart
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1315383477-0
                                                                                                                                                                  • Opcode ID: 5b55474738d83f2d7aff6c3ea50b44a912b227130379b68dc2329ae8cd5a13a6
                                                                                                                                                                  • Instruction ID: 5bf62267ccc7f4fe4693b81ad114fb0840f9afa76d5c815397b18ace0e574e84
                                                                                                                                                                  • Opcode Fuzzy Hash: 5b55474738d83f2d7aff6c3ea50b44a912b227130379b68dc2329ae8cd5a13a6
                                                                                                                                                                  • Instruction Fuzzy Hash: AC02AD71D00259AFCB15DFA5D888BEEBBB8FF08315F14022AE815A7391D7389E44CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D23C0 Relevance: 18.4, APIs: 12, Instructions: 351networksleepCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 3586 4d23c0-4d23f8 3587 4d23fe 3586->3587 3588 4d2870-4d2884 3586->3588 3589 4d2404-4d240c 3587->3589 3590 4d240e-4d2434 call 4d3150 3589->3590 3591 4d2447-4d2490 setsockopt recv WSAGetLastError 3589->3591 3594 4d2439-4d2441 3590->3594 3591->3588 3593 4d2496-4d2499 3591->3593 3595 4d249f-4d24a6 3593->3595 3596 4d27da-4d2804 __Xtime_get_ticks __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 3593->3596 3594->3591 3597 4d285b-4d286a Sleep 3594->3597 3598 4d24ac-4d24f3 call 416930 recv 3595->3598 3599 4d27c8-4d27d8 recv 3595->3599 3600 4d284d-4d2855 Sleep 3596->3600 3601 4d2806 3596->3601 3597->3588 3597->3589 3607 4d24f9-4d2514 recv 3598->3607 3608 4d2784-4d2791 3598->3608 3599->3600 3600->3597 3603 4d2808-4d280e 3601->3603 3604 4d2810-4d2837 call 4081e0 3601->3604 3603->3600 3603->3604 3609 4d283c-4d2848 3604->3609 3607->3608 3610 4d251a-4d2551 3607->3610 3608->3600 3611 4d2797-4d27a3 3608->3611 3609->3600 3614 4d25b4-4d25e4 call 414090 3610->3614 3615 4d2553-4d25b1 call 416930 setsockopt recv 3610->3615 3612 4d27b9-4d27c3 call 42e183 3611->3612 3613 4d27a5-4d27b3 3611->3613 3612->3600 3613->3612 3616 4d2885-4d288a call 433500 3613->3616 3625 4d25ea 3614->3625 3626 4d2704-4d2753 call 4d2890 3614->3626 3615->3614 3627 4d25f0-4d2608 3625->3627 3626->3608 3635 4d2755-4d2764 3626->3635 3629 4d261a-4d2629 3627->3629 3630 4d260a-4d2615 3627->3630 3633 4d2639-4d2645 3629->3633 3634 4d262b-4d2634 3629->3634 3632 4d26e9 3630->3632 3636 4d26ec-4d26fe 3632->3636 3637 4d2655-4d2661 3633->3637 3638 4d2647-4d2650 3633->3638 3634->3632 3639 4d277a-4d277c call 42e183 3635->3639 3640 4d2766-4d2774 3635->3640 3636->3626 3636->3627 3641 4d266e-4d267a 3637->3641 3642 4d2663-4d266c 3637->3642 3638->3632 3646 4d2781 3639->3646 3640->3616 3640->3639 3644 4d267c-4d2685 3641->3644 3645 4d2687-4d2693 3641->3645 3642->3632 3644->3632 3647 4d2695-4d269e 3645->3647 3648 4d26a0-4d26ac 3645->3648 3646->3608 3647->3632 3649 4d26ae-4d26b7 3648->3649 3650 4d26b9-4d26c5 3648->3650 3649->3632 3651 4d26c7-4d26d0 3650->3651 3652 4d26d2-4d26db 3650->3652 3651->3632 3652->3636 3653 4d26dd-4d26e5 3652->3653 3653->3632
                                                                                                                                                                  APIs
                                                                                                                                                                  • setsockopt.WS2_32(00000370,0000FFFF,00001006,?,00000008), ref: 004D2466
                                                                                                                                                                  • recv.WS2_32(?,00000004,00000002), ref: 004D2481
                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 004D2485
                                                                                                                                                                  • recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 004D24EE
                                                                                                                                                                  • recv.WS2_32(00000000,0000000C,00000008), ref: 004D250F
                                                                                                                                                                  • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004D258B
                                                                                                                                                                  • recv.WS2_32(00000000,?,00000008), ref: 004D25AC
                                                                                                                                                                    • Part of subcall function 004D3150: WSAStartup.WS2_32 ref: 004D317A
                                                                                                                                                                    • Part of subcall function 004D3150: getaddrinfo.WS2_32(?,?,?,00588CC0), ref: 004D31FC
                                                                                                                                                                    • Part of subcall function 004D3150: socket.WS2_32(?,?,?), ref: 004D321D
                                                                                                                                                                    • Part of subcall function 004D3150: connect.WS2_32(00000000,0055F6D1,?), ref: 004D3231
                                                                                                                                                                    • Part of subcall function 004D3150: closesocket.WS2_32(00000000), ref: 004D323D
                                                                                                                                                                    • Part of subcall function 004D3150: freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D324A
                                                                                                                                                                    • Part of subcall function 004D3150: WSACleanup.WS2_32 ref: 004D3250
                                                                                                                                                                  • recv.WS2_32(?,00000004,00000008), ref: 004D27D6
                                                                                                                                                                  • __Xtime_get_ticks.LIBCPMT ref: 004D27DA
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D27E8
                                                                                                                                                                  • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004D284F
                                                                                                                                                                  • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004D285D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4125349891-0
                                                                                                                                                                  • Opcode ID: 0faf3052afb1c00782cdab9ebe53fd988e07a330ab3ea123e73c5a32e3e42a17
                                                                                                                                                                  • Instruction ID: 15ea99ae058cf58d21446cf462f8f8b9c5c04bab4b96d95aa166a16db5b48a04
                                                                                                                                                                  • Opcode Fuzzy Hash: 0faf3052afb1c00782cdab9ebe53fd988e07a330ab3ea123e73c5a32e3e42a17
                                                                                                                                                                  • Instruction Fuzzy Hash: 55E13230900244DFDB15DBA4CDA07ADBBF1BF66310F24425BE841AB2D2DBB45C8ADB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043D563 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 3654 43d563-43d593 call 43d2b1 3657 43d595-43d5a0 call 43bf7c 3654->3657 3658 43d5ae-43d5ba call 44902a 3654->3658 3665 43d5a2-43d5a9 call 43bf8f 3657->3665 3663 43d5d3-43d61c call 43d21c 3658->3663 3664 43d5bc-43d5d1 call 43bf7c call 43bf8f 3658->3664 3674 43d689-43d692 GetFileType 3663->3674 3675 43d61e-43d627 3663->3675 3664->3665 3672 43d888-43d88c 3665->3672 3676 43d694-43d6c5 GetLastError __dosmaperr CloseHandle 3674->3676 3677 43d6db-43d6de 3674->3677 3679 43d629-43d62d 3675->3679 3680 43d65e-43d684 GetLastError __dosmaperr 3675->3680 3676->3665 3681 43d6cb-43d6d6 call 43bf8f 3676->3681 3682 43d6e0-43d6e5 3677->3682 3683 43d6e7-43d6ed 3677->3683 3679->3680 3684 43d62f-43d65c call 43d21c 3679->3684 3680->3665 3681->3665 3686 43d6f1-43d73f call 448f75 3682->3686 3683->3686 3687 43d6ef 3683->3687 3684->3674 3684->3680 3693 43d741-43d74d call 43d42b 3686->3693 3694 43d75e-43d786 call 43cfc6 3686->3694 3687->3686 3693->3694 3699 43d74f 3693->3699 3700 43d78b-43d7cc 3694->3700 3701 43d788-43d789 3694->3701 3702 43d751-43d759 call 44365f 3699->3702 3703 43d7ce-43d7d2 3700->3703 3704 43d7ed-43d7fb 3700->3704 3701->3702 3702->3672 3703->3704 3706 43d7d4-43d7e8 3703->3706 3707 43d801-43d805 3704->3707 3708 43d886 3704->3708 3706->3704 3707->3708 3710 43d807-43d83a CloseHandle call 43d21c 3707->3710 3708->3672 3713 43d86e-43d882 3710->3713 3714 43d83c-43d868 GetLastError __dosmaperr call 44913d 3710->3714 3713->3708 3714->3713
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0043D21C: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043D239
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0043D677
                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043D67E
                                                                                                                                                                  • GetFileType.KERNELBASE(00000000), ref: 0043D68A
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0043D694
                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043D69D
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0043D6BD
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0043D80A
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0043D83C
                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0043D843
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                  • String ID: H
                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                  • Opcode ID: 63c00d4ff725a68de22716b4a375591cf024028e2c9fd4940c7fbe6601f7ac47
                                                                                                                                                                  • Instruction ID: deea7823187220b22c69116efca66525af397024c1424d0dae53dd4a9d4c69af
                                                                                                                                                                  • Opcode Fuzzy Hash: 63c00d4ff725a68de22716b4a375591cf024028e2c9fd4940c7fbe6601f7ac47
                                                                                                                                                                  • Instruction Fuzzy Hash: 47A17C31E14114AFCF19AF68EC467AE3BB1EB0A324F14215EF811DB391DB388816DB55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00421F3C Relevance: 16.4, APIs: 6, Strings: 3, Instructions: 635COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 3717 421f3c-421f56 call 425710 3720 421f60-421f68 call 428220 3717->3720 3721 421f58-421f5e 3717->3721 3722 421f6d-421f7b call 41c660 3720->3722 3721->3722 3726 421f86-421f89 3722->3726 3727 421f7d-421f81 3722->3727 3729 422804-422892 call 41b7b0 call 406670 call 41bd60 3726->3729 3730 421f8f-421fb2 call 415c20 call 41c660 3726->3730 3728 422503-422508 3727->3728 3734 422d70-422d74 3728->3734 3735 42250e-42252b call 423be0 3728->3735 3761 422898-42289e 3729->3761 3762 423059-423092 call 416c30 call 42fc4b call 423f30 call 42fc4b 3729->3762 3750 422660-4226fa call 4036f0 call 41b7b0 call 406670 call 41bd60 3730->3750 3751 421fb8-421fcc 3730->3751 3738 422ff6-423013 call 411310 3734->3738 3746 422531-42253c call 41c660 3735->3746 3747 4225dd-4225e8 call 41c660 3735->3747 3767 422542-422545 3746->3767 3768 422013-42202a call 41c660 3746->3768 3769 422604-422612 call 41c660 3747->3769 3770 4225ea-4225ed 3747->3770 3834 422700-422706 3750->3834 3835 423035-42304e call 416c30 3750->3835 3756 421fce-421fd5 3751->3756 3757 421fef-421ff6 3751->3757 3764 421fd7-421feb 3756->3764 3765 421fed 3756->3765 3758 421ff9-42200e call 41dfb0 3757->3758 3758->3768 3771 4228a0-4228ac 3761->3771 3772 4228cc-422919 ___std_exception_destroy * 2 3761->3772 3838 423097-4230b1 call 416c30 call 42fc4b 3762->3838 3764->3758 3765->3757 3779 4225f3-4225ff call 423ab0 3767->3779 3780 42254b-4225d2 call 41b7b0 call 406670 call 41bd60 3767->3780 3768->3728 3800 422cd7-422d65 call 41b7b0 call 406670 call 41bd60 3769->3800 3801 422618-42263b call 415c20 call 41c660 3769->3801 3770->3779 3781 422b9e-422c27 call 41b7b0 call 406670 call 41bd60 3770->3781 3782 4228c2-4228c9 call 42e183 3771->3782 3783 4228ae-4228bc 3771->3783 3776 4227b2-4227d3 3772->3776 3777 42291f-42292e 3772->3777 3789 422ff2 3776->3789 3790 4227d9-4227e5 3776->3790 3791 422934-422942 3777->3791 3792 4227a8-4227af call 42e183 3777->3792 3779->3728 3851 423016-423030 call 416c30 call 42fc4b 3780->3851 3852 4225d8 3780->3852 3781->3838 3858 422c2d 3781->3858 3782->3772 3783->3782 3797 423054 call 433500 3783->3797 3789->3738 3802 4227eb-4227f9 3790->3802 3803 422fe8-422fef call 42e183 3790->3803 3791->3797 3807 422948 3791->3807 3792->3776 3797->3762 3870 4230d5-42316f call 416c30 call 42fc4b call 416c30 call 42fc4b call 416c30 call 42fc4b 3800->3870 3871 422d6b 3800->3871 3848 422c32-422ccc call 4036f0 call 41b7b0 call 406670 call 41bd60 3801->3848 3849 422641-422644 call 41c660 3801->3849 3802->3797 3814 4227ff 3802->3814 3803->3789 3807->3792 3819 422b34-422b83 call 4031c0 ___std_exception_destroy * 2 call 4031c0 3807->3819 3814->3803 3819->3738 3863 422b89-422b99 call 403430 3819->3863 3842 422734-422781 ___std_exception_destroy * 2 3834->3842 3843 422708-422714 3834->3843 3835->3797 3866 42304f call 42fc4b 3835->3866 3877 4230b6-4230d0 call 416c30 call 42fc4b 3838->3877 3842->3776 3856 422783-422792 3842->3856 3853 422716-422724 3843->3853 3854 42272a-422731 call 42e183 3843->3854 3848->3877 3894 422cd2 3848->3894 3869 422649-422658 3849->3869 3851->3835 3852->3819 3853->3797 3853->3854 3854->3842 3856->3792 3865 422794-4227a2 3856->3865 3858->3819 3863->3738 3865->3792 3865->3797 3866->3797 3869->3750 3871->3734 3877->3870 3894->3800
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422757
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422770
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004228EF
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422908
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                  • String ID: $$array$object
                                                                                                                                                                  • API String ID: 4194217158-1261123851
                                                                                                                                                                  • Opcode ID: 5914cf778d6968e80494f709db4e8b77c064380b7e6a9d0f017eec3419c8f505
                                                                                                                                                                  • Instruction ID: 729c381a9a0c7f986160d18f999e66225a9d9459ed6648384f1f9576d23ff93e
                                                                                                                                                                  • Opcode Fuzzy Hash: 5914cf778d6968e80494f709db4e8b77c064380b7e6a9d0f017eec3419c8f505
                                                                                                                                                                  • Instruction Fuzzy Hash: 6642F370D0025DAFDB14DFA0D984BEEBBB4FF15304F50416EE405A7642EB78AA88CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004431A0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 3901 4431a0-4431b0 3902 4431b2-4431c5 call 43bf7c call 43bf8f 3901->3902 3903 4431ca-4431cc 3901->3903 3918 443524 3902->3918 3904 4431d2-4431d8 3903->3904 3905 44350c-443519 call 43bf7c call 43bf8f 3903->3905 3904->3905 3908 4431de-443207 3904->3908 3922 44351f call 4334f0 3905->3922 3908->3905 3912 44320d-443216 3908->3912 3915 443230-443232 3912->3915 3916 443218-44322b call 43bf7c call 43bf8f 3912->3916 3920 443508-44350a 3915->3920 3921 443238-44323c 3915->3921 3916->3922 3923 443527-44352a 3918->3923 3920->3923 3921->3920 3925 443242-443246 3921->3925 3922->3918 3925->3916 3928 443248-44325f 3925->3928 3929 443294-44329a 3928->3929 3930 443261-443264 3928->3930 3934 44329c-4432a3 3929->3934 3935 44326e-443285 call 43bf7c call 43bf8f call 4334f0 3929->3935 3932 443266-44326c 3930->3932 3933 44328a-443292 3930->3933 3932->3933 3932->3935 3937 443307-443326 3933->3937 3938 4432a5 3934->3938 3939 4432a7-4432c5 call 445924 call 4458aa * 2 3934->3939 3966 44343f 3935->3966 3941 4433e2-4433eb call 44e474 3937->3941 3942 44332c-443338 3937->3942 3938->3939 3970 4432c7-4432dd call 43bf8f call 43bf7c 3939->3970 3971 4432e2-443305 call 43ce8d 3939->3971 3955 44345c 3941->3955 3956 4433ed-4433ff 3941->3956 3942->3941 3946 44333e-443340 3942->3946 3946->3941 3951 443346-443367 3946->3951 3951->3941 3952 443369-44337f 3951->3952 3952->3941 3957 443381-443383 3952->3957 3959 443460-443476 ReadFile 3955->3959 3956->3955 3961 443401-443410 GetConsoleMode 3956->3961 3957->3941 3962 443385-4433a8 3957->3962 3964 4434d4-4434df GetLastError 3959->3964 3965 443478-44347e 3959->3965 3961->3955 3967 443412-443416 3961->3967 3962->3941 3969 4433aa-4433c0 3962->3969 3972 4434e1-4434f3 call 43bf8f call 43bf7c 3964->3972 3973 4434f8-4434fb 3964->3973 3965->3964 3974 443480 3965->3974 3968 443442-44344c call 4458aa 3966->3968 3967->3959 3975 443418-443430 ReadConsoleW 3967->3975 3968->3923 3969->3941 3977 4433c2-4433c4 3969->3977 3970->3966 3971->3937 3972->3966 3982 443501-443503 3973->3982 3983 443438-44343e __dosmaperr 3973->3983 3980 443483-443495 3974->3980 3984 443451-44345a 3975->3984 3985 443432 GetLastError 3975->3985 3977->3941 3987 4433c6-4433dd 3977->3987 3980->3968 3990 443497-44349b 3980->3990 3982->3968 3983->3966 3984->3980 3985->3983 3987->3941 3994 4434b4-4434c1 3990->3994 3995 44349d-4434ad call 442eb2 3990->3995 3999 4434c3 call 443009 3994->3999 4000 4434cd-4434d2 call 442cf8 3994->4000 4006 4434b0-4434b2 3995->4006 4004 4434c8-4434cb 3999->4004 4000->4004 4004->4006 4006->3968
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 0-3907804496
                                                                                                                                                                  • Opcode ID: b462a36e6bb30e1ebe37cca350b7bdb3d0fdcfd033a52d65a3f9a67cac222ce0
                                                                                                                                                                  • Instruction ID: e3239ec4e1ee32b8324d570a22e522ef24bddbe65fd960e714ad45a7b0e040b8
                                                                                                                                                                  • Opcode Fuzzy Hash: b462a36e6bb30e1ebe37cca350b7bdb3d0fdcfd033a52d65a3f9a67cac222ce0
                                                                                                                                                                  • Instruction Fuzzy Hash: 77B12670A04244AFEB01DF59C881BBE7BB1FF49715F14419AE90197382CB789E41CBA9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041A800 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 378COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 6591 41a800-41a840 6592 41a846-41a864 6591->6592 6593 41aa68-41aa89 call 421ed0 6591->6593 6594 41a873-41a8ad call 41b670 call 420db0 call 41c660 6592->6594 6595 41a866-41a870 6592->6595 6597 41aa8e-41aa9c call 41c660 6593->6597 6620 41a8b3-41a940 call 41b7b0 call 406670 call 41bd60 6594->6620 6621 41a9bd-41a9c4 6594->6621 6595->6594 6604 41abb2-41abb6 6597->6604 6605 41aaa2-41ab2c call 41b7b0 call 406670 call 41bd60 6597->6605 6608 41ac3c-41ac41 6604->6608 6609 41abbc-41abf9 call 415ab0 call 411940 6604->6609 6646 41ab32-41ab84 call 4031c0 ___std_exception_destroy * 2 call 4031c0 6605->6646 6647 41ac8e-41aca2 call 416c30 call 42fc4b 6605->6647 6611 41ac43-41ac53 6608->6611 6612 41ac27-41ac39 6608->6612 6609->6612 6641 41abfb-41ac0b 6609->6641 6616 41ac55-41ac63 6611->6616 6617 41ac1d-41ac24 call 42e183 6611->6617 6616->6617 6622 41ac65 call 433500 6616->6622 6617->6612 6639 41ac6a-41ac84 call 416c30 call 42fc4b 6620->6639 6663 41a946-41a98f call 4031c0 ___std_exception_destroy * 2 call 4031c0 6620->6663 6626 41a9c6-41a9cc 6621->6626 6627 41a9ce-41a9d1 6621->6627 6622->6639 6634 41a9dd-41aa0a call 415ab0 call 411940 6626->6634 6635 41a9d3-41a9db 6627->6635 6636 41aa0f-41aa22 call 411940 6627->6636 6634->6636 6635->6634 6651 41aa42-41aa63 call 411310 * 3 6636->6651 6652 41aa24-41aa38 6636->6652 6666 41ac89 call 433500 6639->6666 6641->6617 6648 41ac0d-41ac1b 6641->6648 6646->6604 6673 41ab86-41ab92 6646->6673 6669 41aca7-41acb9 call 433500 6647->6669 6648->6617 6648->6622 6651->6612 6652->6651 6663->6621 6690 41a991-41a99d 6663->6690 6666->6647 6683 41ace3-41acf6 6669->6683 6684 41acbb-41acc5 6669->6684 6677 41ab94-41aba2 6673->6677 6678 41aba8-41abaf call 42e183 6673->6678 6677->6669 6677->6678 6678->6604 6688 41acc7-41acd5 6684->6688 6689 41acd9-41acdb call 42e183 6684->6689 6691 41acf7-41ad04 call 433500 6688->6691 6692 41acd7 6688->6692 6697 41ace0 6689->6697 6693 41a9b3-41a9ba call 42e183 6690->6693 6694 41a99f-41a9ad 6690->6694 6701 41ad06-41ad08 6691->6701 6702 41ad0c 6691->6702 6692->6689 6693->6621 6694->6666 6694->6693 6697->6683 6701->6702
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0041A959
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0041A972
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0041AB4E
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0041AB67
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                  • String ID: value
                                                                                                                                                                  • API String ID: 4194217158-494360628
                                                                                                                                                                  • Opcode ID: e4ffa9d5168e7f9354265be0bc861305314de3187af35e75a45d650a850002be
                                                                                                                                                                  • Instruction ID: 9f034d729ebebe199f4f723a1c14bfd040db2caa5f80a11ca9a640f2ae4bdf80
                                                                                                                                                                  • Opcode Fuzzy Hash: e4ffa9d5168e7f9354265be0bc861305314de3187af35e75a45d650a850002be
                                                                                                                                                                  • Instruction Fuzzy Hash: 8DF10370D002488FDB14DF65C844BEEBBB4BF15304F14829EE455A7782E7786A88CFA6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407D50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381libraryloadernetworkCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408127
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00408132
                                                                                                                                                                  • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000), ref: 0040814B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressHandleModuleProcSend
                                                                                                                                                                  • String ID: Ws2_32.dll
                                                                                                                                                                  • API String ID: 2819740048-3093949381
                                                                                                                                                                  • Opcode ID: dd4c487e8a8bc13902b4548fa43b40dbe95563e99cf8979a8f365f9e091ed4cc
                                                                                                                                                                  • Instruction ID: 4cf5a73f60aaa9aa04889aa359a8f1718852bcf292be34ef81f356f0aae57edb
                                                                                                                                                                  • Opcode Fuzzy Hash: dd4c487e8a8bc13902b4548fa43b40dbe95563e99cf8979a8f365f9e091ed4cc
                                                                                                                                                                  • Instruction Fuzzy Hash: 1FF18D70E042468FCB25CF58C880A6EBBB1BF45314F24456EE5A5AB3D2D7356C42CBD6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004081E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 332libraryloadernetworkCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,005588D8,00000000,00000000,-00589220), ref: 00408566
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00408574
                                                                                                                                                                  • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,005588D8,00000000,00000000,-00589220), ref: 00408589
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressHandleModuleProcSend
                                                                                                                                                                  • String ID: Ws2_32.dll
                                                                                                                                                                  • API String ID: 2819740048-3093949381
                                                                                                                                                                  • Opcode ID: 56d94f30f56239b9f6a30b9d4a5a515b5cb323a29f0ba089c1967f76d3ef3ef0
                                                                                                                                                                  • Instruction ID: b889a33a35ddf0adef0218ac58701f77bdbbaba15cb1320cc4c9efeef27d22b6
                                                                                                                                                                  • Opcode Fuzzy Hash: 56d94f30f56239b9f6a30b9d4a5a515b5cb323a29f0ba089c1967f76d3ef3ef0
                                                                                                                                                                  • Instruction Fuzzy Hash: 1BE1BC70D00258EFDF15CBA4DD917EDBBB0AF56704F14029EE8857B282DB34198ACB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00422441 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                  • String ID: $array
                                                                                                                                                                  • API String ID: 4194217158-2848110696
                                                                                                                                                                  • Opcode ID: 9f4ea02c731a21f36805351e2a343ddf98f006329fc53848230d514473e2f301
                                                                                                                                                                  • Instruction ID: 040f54a50eca916393071bfcf6e1f9d608c7cf8feb660a1d38d308300d53a661
                                                                                                                                                                  • Opcode Fuzzy Hash: 9f4ea02c731a21f36805351e2a343ddf98f006329fc53848230d514473e2f301
                                                                                                                                                                  • Instruction Fuzzy Hash: 1541F770D0425CEADB14DFA0D994BEEBBB8FF15304F50416FD401A7242DB786A88DB55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00446260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DeleteFileW.KERNELBASE(A{C,?,00437B41,?), ref: 00446268
                                                                                                                                                                  • GetLastError.KERNEL32(?,00437B41,?), ref: 00446272
                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00446279
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DeleteErrorFileLast__dosmaperr
                                                                                                                                                                  • String ID: A{C
                                                                                                                                                                  • API String ID: 1545401867-2902953714
                                                                                                                                                                  • Opcode ID: d06e79dd3ba0cf7262f3e9d2e22031695f25905068d46e1a3810f42683731183
                                                                                                                                                                  • Instruction ID: 82298aed12121fbb76aae4bd86d3a8824ef8c8c9545724addf748e8f9a95ec58
                                                                                                                                                                  • Opcode Fuzzy Hash: d06e79dd3ba0cf7262f3e9d2e22031695f25905068d46e1a3810f42683731183
                                                                                                                                                                  • Instruction Fuzzy Hash: E2D02232018A093B8B002BFAFC0C81B3F1CDAC23B4B112212F12CC21A0DF79C880E540
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F2CD0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 004F2D4E
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 004F2D5F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 995686243-0
                                                                                                                                                                  • Opcode ID: dfba1b075285273309578ffbf089447c7c1ac741728f75895561d4347c87bb62
                                                                                                                                                                  • Instruction ID: 325128bde6972141eaafbb0e95bf719766b08d5b5670bbe0189b29004b96e682
                                                                                                                                                                  • Opcode Fuzzy Hash: dfba1b075285273309578ffbf089447c7c1ac741728f75895561d4347c87bb62
                                                                                                                                                                  • Instruction Fuzzy Hash: 3401C071641118129A342A35ED4907F370D8713328BA80F1BEE25973D5D9DFCC45875A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405DE0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 308COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406029
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406070
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_fs_directory_iterator_advance@8
                                                                                                                                                                  • String ID: .
                                                                                                                                                                  • API String ID: 2610647541-248832578
                                                                                                                                                                  • Opcode ID: 24110669fa94efa93dbf60294f552bae376b896653ba069dd2a2053fc70e762d
                                                                                                                                                                  • Instruction ID: 096b34988356738832717cd8d53d0dabcf9a03e197ae697f4c60f7eb60d7375d
                                                                                                                                                                  • Opcode Fuzzy Hash: 24110669fa94efa93dbf60294f552bae376b896653ba069dd2a2053fc70e762d
                                                                                                                                                                  • Instruction Fuzzy Hash: EBB1ED31A00A269FCB24DF28C484AABB3A5FF44314F14467AE956AB7C0D739AD55CFC4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040BBAA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040BF0B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                  • String ID: D5I$gO>
                                                                                                                                                                  • API String ID: 4241100979-9669375
                                                                                                                                                                  • Opcode ID: a70bc843fb75804f0c6dcccdee84c4d7299bd1d366e2e2686d92fec8723b3657
                                                                                                                                                                  • Instruction ID: 1c99b7db082cbe4170b2a8c48b056c73716a310fc73452a91fe799afa8dbbf6b
                                                                                                                                                                  • Opcode Fuzzy Hash: a70bc843fb75804f0c6dcccdee84c4d7299bd1d366e2e2686d92fec8723b3657
                                                                                                                                                                  • Instruction Fuzzy Hash: 38E14AB4D052588FCB64CF98DA91ADCBBF1AB4C324F6451A9E449B7340DB315E81CF68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AED5 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040B094
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040B194
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CopyCreateDirectoryFile
                                                                                                                                                                  • String ID: d:P
                                                                                                                                                                  • API String ID: 3761107634-1316356323
                                                                                                                                                                  • Opcode ID: 9834d24a3142c173cffbc2ab538e9bcef5bf588c3bed871f4eefa6fbed3306b3
                                                                                                                                                                  • Instruction ID: b46fb8f498fe19e45c2de27f9ae2aa4bcfe055eec9d79a59652231d92f533978
                                                                                                                                                                  • Opcode Fuzzy Hash: 9834d24a3142c173cffbc2ab538e9bcef5bf588c3bed871f4eefa6fbed3306b3
                                                                                                                                                                  • Instruction Fuzzy Hash: C0D17BB8D052588BDB25CF98D991ADCBBF0AB4C314F2451DAE809B7340DB316E84CF69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C5CC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040C78B
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040C88B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CopyCreateDirectoryFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3761107634-3916222277
                                                                                                                                                                  • Opcode ID: 6230a3c5e97c4a67157d6a67fc00dc778ed06bd17ee8d2d2cab1e9c77b27c71c
                                                                                                                                                                  • Instruction ID: fea31fcc1739ab290db98ead6b4672fbdfba05a45897d1c47918ee6387bb05c2
                                                                                                                                                                  • Opcode Fuzzy Hash: 6230a3c5e97c4a67157d6a67fc00dc778ed06bd17ee8d2d2cab1e9c77b27c71c
                                                                                                                                                                  • Instruction Fuzzy Hash: D6D17AB8D052588BDB28CF98D991ADCBBF0AF58324F2411E9D809B7340DB315E84CF69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00447C50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004458AA: RtlFreeHeap.NTDLL(00000000,00000000,?,0044C3D9,?,00000000,?,?,0044C67A,?,00000007,?,?,0044CB6E,?,?), ref: 004458C0
                                                                                                                                                                    • Part of subcall function 004458AA: GetLastError.KERNEL32(?,?,0044C3D9,?,00000000,?,?,0044C67A,?,00000007,?,?,0044CB6E,?,?), ref: 004458CB
                                                                                                                                                                  • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00447E03,00000000,00000000,00000000), ref: 00447CC2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                  • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                  • API String ID: 3335090040-690618308
                                                                                                                                                                  • Opcode ID: 53cfa0c2b2e8e1c4497564ba13a148606d804052baa25eea3ebd75a2ff8e0b0f
                                                                                                                                                                  • Instruction ID: 95fec9e7b2ee5416ea09e91f5883e66808fc8b830f7b48389ead0be8655ac52d
                                                                                                                                                                  • Opcode Fuzzy Hash: 53cfa0c2b2e8e1c4497564ba13a148606d804052baa25eea3ebd75a2ff8e0b0f
                                                                                                                                                                  • Instruction Fuzzy Hash: 7641D471D04225ABEB10BF76DC0696E7FB8EF04358F60415BF814B7291EB389D069B98
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F8D20 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 250COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                  • String ID: -1L$-2L
                                                                                                                                                                  • API String ID: 1452528299-3975959154
                                                                                                                                                                  • Opcode ID: 7cbc2765ffe9876f453631ab618cea2cdf271d2230653e7288edc8667744d0af
                                                                                                                                                                  • Instruction ID: 8532e58cabc42239c9a206463210862c2cf1955d45b676afb1905f123e481057
                                                                                                                                                                  • Opcode Fuzzy Hash: 7cbc2765ffe9876f453631ab618cea2cdf271d2230653e7288edc8667744d0af
                                                                                                                                                                  • Instruction Fuzzy Hash: 8BA1A071E102489BDB18DBA4CC95BFEB771FF58304F14821EE905BB281EB746A85CB54
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040AA6A Relevance: 4.7, APIs: 3, Instructions: 227fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040AB87
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040ACD3
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040ADA3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory$CopyFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 379462554-0
                                                                                                                                                                  • Opcode ID: aa0bf1944e415d055ad1ba2bd394d683157b89170457a394d18422a3be082895
                                                                                                                                                                  • Instruction ID: fa5d3aefcb5318aac483c8dab34aecfa374d65c0e00a15c095fa280417b77c72
                                                                                                                                                                  • Opcode Fuzzy Hash: aa0bf1944e415d055ad1ba2bd394d683157b89170457a394d18422a3be082895
                                                                                                                                                                  • Instruction Fuzzy Hash: EEC1CEB8D042188ADB25DF98C991ADDBBF0AF5C324F1411E9D809B7380DB356E84CF69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F2C70 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004F2C92
                                                                                                                                                                    • Part of subcall function 0042D43A: ReleaseSRWLockExclusive.KERNEL32(004F2D39), ref: 0042D44E
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 004F2CAD
                                                                                                                                                                  • std::_Throw_Cpp_error.LIBCPMT ref: 004F2CBE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1881651058-0
                                                                                                                                                                  • Opcode ID: 0347d829a5eb11eae45fe4e31cdd857bf971855d4b8e6105c880f95a0e06c83c
                                                                                                                                                                  • Instruction ID: 605f2016e10b7e18b163202c4e2c4cdd5dfa79e1876f0762e61eb7d28960231e
                                                                                                                                                                  • Opcode Fuzzy Hash: 0347d829a5eb11eae45fe4e31cdd857bf971855d4b8e6105c880f95a0e06c83c
                                                                                                                                                                  • Instruction Fuzzy Hash: 08E0D872B4422062D52033367C0763B254C8B11324FD4063AFE20A61D1EDF998048B8A
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040B362 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 211fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040B5A7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CopyFile
                                                                                                                                                                  • String ID: bV#
                                                                                                                                                                  • API String ID: 1304948518-2557208531
                                                                                                                                                                  • Opcode ID: 2e174e6643ddc55f21fd3496af49bc0eec1a3949b4a986039ec58223d0844ec1
                                                                                                                                                                  • Instruction ID: cae23ce53105954d6f992f15396b4822f88a54db382455c53f0dce72c0814f2e
                                                                                                                                                                  • Opcode Fuzzy Hash: 2e174e6643ddc55f21fd3496af49bc0eec1a3949b4a986039ec58223d0844ec1
                                                                                                                                                                  • Instruction Fuzzy Hash: 2BC18DB4D052598FCB25CF98DA916DCBBF1AB4C324F2451AAD809B7340DB356E81CF68
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040C155 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040C49A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                  • String ID: U5I
                                                                                                                                                                  • API String ID: 4241100979-2587217555
                                                                                                                                                                  • Opcode ID: c096f63529a2d04bfeae6dc2135d5aab1f1a4f86739ed3dadbb568acd2f4c664
                                                                                                                                                                  • Instruction ID: ac674b7b51f05a57ce70314e7f00a6b42712f57d929c2611c6f576c432607ed5
                                                                                                                                                                  • Opcode Fuzzy Hash: c096f63529a2d04bfeae6dc2135d5aab1f1a4f86739ed3dadbb568acd2f4c664
                                                                                                                                                                  • Instruction Fuzzy Hash: A4C16BB4D052188FDB24CF98DA91ADCBBF1AB4C324F645199E809B7340DB316E85CF69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0040E250 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 004F2CD0: GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                                                    • Part of subcall function 004F2CD0: GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040E459
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                  • String ID: =
                                                                                                                                                                  • API String ID: 674977465-2322244508
                                                                                                                                                                  • Opcode ID: c01e006192443c623b1345774e7bd4ae881e867d2a563e42cd0be2be54deea90
                                                                                                                                                                  • Instruction ID: 4c31c2b4ab6c20c136918818f105c81bd143b56d6cc430cbfc3e2680d29ed538
                                                                                                                                                                  • Opcode Fuzzy Hash: c01e006192443c623b1345774e7bd4ae881e867d2a563e42cd0be2be54deea90
                                                                                                                                                                  • Instruction Fuzzy Hash: 2091F2B4D1526C9BDB25CFA9E981ADCFBB4BF48304F00819AE858B7341DB346A84CF55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00433692 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: d A
                                                                                                                                                                  • API String ID: 0-616623946
                                                                                                                                                                  • Opcode ID: eede66d756e0c1a0b5e07baf9b01a7231fde42cae16d6e993eff2dc43bb1a5b1
                                                                                                                                                                  • Instruction ID: 8d691b3f4dbeef2f936747217c2848be1b4780fc272094865f28ed7dea4c0760
                                                                                                                                                                  • Opcode Fuzzy Hash: eede66d756e0c1a0b5e07baf9b01a7231fde42cae16d6e993eff2dc43bb1a5b1
                                                                                                                                                                  • Instruction Fuzzy Hash: 7B51E3B4A00104AFDB14DF59CC85AAABBF1EF4D324F24915AF8099B352D379EE41CB94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00410887 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004108A1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                  • String ID: k
                                                                                                                                                                  • API String ID: 4241100979-140662621
                                                                                                                                                                  • Opcode ID: c404385334f48e69bc3d99d72a58cc6b4349818a5b857a9d5148564d291bfd69
                                                                                                                                                                  • Instruction ID: 1f0ba2e685299aad9cd7c917c7bb047ec0820a6efdb3c6e343f4a662026f26a4
                                                                                                                                                                  • Opcode Fuzzy Hash: c404385334f48e69bc3d99d72a58cc6b4349818a5b857a9d5148564d291bfd69
                                                                                                                                                                  • Instruction Fuzzy Hash: 68417BB4D05268DBCB28CF99E990ADCFBB1FB48304F4081AAE819B7350DB746941CF45
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D2890 Relevance: 3.6, APIs: 2, Instructions: 560COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,6F2977B7,?,?,?,?,?,?,?,00000000,00000001,76A923A0,00000000), ref: 004D2D54
                                                                                                                                                                    • Part of subcall function 004DB380: VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,?,00000000), ref: 004DB3EA
                                                                                                                                                                    • Part of subcall function 004DB380: WriteProcessMemory.KERNEL32(00000000,00000000,t-M,?,00000000), ref: 004DB406
                                                                                                                                                                    • Part of subcall function 004DB380: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004DB43F
                                                                                                                                                                    • Part of subcall function 004DB380: VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004DB469
                                                                                                                                                                    • Part of subcall function 0042D43A: ReleaseSRWLockExclusive.KERNEL32(004F2D39), ref: 0042D44E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Process$AllocMemoryVirtualWrite$CurrentExclusiveLockRelease
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 666592346-0
                                                                                                                                                                  • Opcode ID: c56c19362e8dfe9c929ab92c0b654e71572474fde41903893849a7495f35d764
                                                                                                                                                                  • Instruction ID: 26b9c72b6ddc4c31c1f3b4b91af9721e671e16450a7e1798ce2a3c04c8b5f315
                                                                                                                                                                  • Opcode Fuzzy Hash: c56c19362e8dfe9c929ab92c0b654e71572474fde41903893849a7495f35d764
                                                                                                                                                                  • Instruction Fuzzy Hash: 7432DF70900208CBDB14DF68C9957EDBBB1FF58304F14419AE8096B392DB789E85CFA6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00444019 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0044372F: GetConsoleOutputCP.KERNEL32(8D5902D8,00000000,00000000,00437957), ref: 00443792
                                                                                                                                                                  • WriteFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?,004F2E1F,?,00437877,004F2E1F,?,00578900,00000010,00437957), ref: 0044419E
                                                                                                                                                                  • GetLastError.KERNEL32(?,00437877,004F2E1F,?,00578900,00000010,00437957,004F2E1F,?,00000000,?), ref: 004441A8
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2915228174-0
                                                                                                                                                                  • Opcode ID: 66e0ddea0cb217b6ae80d1a32b3b59e934d250a7623237bbde176196d2ee28a3
                                                                                                                                                                  • Instruction ID: 0628d0172fcac0a10c399004d6184d52a202fa31f39ed19b8586a1ab0f8a80ff
                                                                                                                                                                  • Opcode Fuzzy Hash: 66e0ddea0cb217b6ae80d1a32b3b59e934d250a7623237bbde176196d2ee28a3
                                                                                                                                                                  • Instruction Fuzzy Hash: 2B61C471900119AFEF11CFA8DC84BEFBBB9BF99304F14014AE900A7202D779D955DB65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004122A0 Relevance: 3.2, APIs: 2, Instructions: 185COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                  • Opcode ID: a6de1df37dfb96f7904da2523f795a48f12aff5b6393de5a7868983c18ffdd9b
                                                                                                                                                                  • Instruction ID: b5ec34bd29a15183def94e688a440539f4bf7795f8ca6c39a07d260135894a7b
                                                                                                                                                                  • Opcode Fuzzy Hash: a6de1df37dfb96f7904da2523f795a48f12aff5b6393de5a7868983c18ffdd9b
                                                                                                                                                                  • Instruction Fuzzy Hash: 82615B326042058FCB18CF2DD9809AA77E1EF88720F05866EFC58CB345E775DC698B99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407B10 Relevance: 3.1, APIs: 2, Instructions: 114COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,7FFFFFFF,?,?,?,?,00000000,00558869,000000FF,?,?,00000000,00000001), ref: 00407B6A
                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000,00558869,000000FF,?,?,00000000), ref: 00407BF2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesCreateDirectoryFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3401506121-0
                                                                                                                                                                  • Opcode ID: d08a96d9c25024a750445a24f33408e8c4088889fc05b13ee24b34efa54571e3
                                                                                                                                                                  • Instruction ID: 2e2c2f2e01908e67c2a54bf0340a0c4501e43c5477e127a6dc49a8083d671767
                                                                                                                                                                  • Opcode Fuzzy Hash: d08a96d9c25024a750445a24f33408e8c4088889fc05b13ee24b34efa54571e3
                                                                                                                                                                  • Instruction Fuzzy Hash: 2641F175E14601EFC720DF64EC42AAAB7B5FB54724F18032AE816633D0E7347944DB96
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0044368F Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00443576,00000000,CF830579,00578C68,0000000C,00443632,0043790D,?), ref: 004436E5
                                                                                                                                                                  • GetLastError.KERNEL32(?,00443576,00000000,CF830579,00578C68,0000000C,00443632,0043790D,?), ref: 004436EF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1687624791-0
                                                                                                                                                                  • Opcode ID: b78c23c39475fb946a6917cc79ada02ff23f82b2eae8cc914a7116fd1dd25ee2
                                                                                                                                                                  • Instruction ID: 5b9e54e71ebf2813978f3334a6ac8d2e590d94fd15b88a1802dc34040f0fcd9e
                                                                                                                                                                  • Opcode Fuzzy Hash: b78c23c39475fb946a6917cc79ada02ff23f82b2eae8cc914a7116fd1dd25ee2
                                                                                                                                                                  • Instruction Fuzzy Hash: 0B118C326041153AF6302A34AC4DB3F67898B82F39F26014FF908873C2DE6D8D409658
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043CDAC Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00437957,00000000,00000002,00000000,00000000,00000000,00000000,?,0043CEE6,00000000,00000000,00437957,00000002,00000000), ref: 0043CDE8
                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,0043CEE6,00000000,00000000,00437957,00000002,00000000,?,004440BE,00000000,00000000,00000000,00000002,00437957,00000000), ref: 0043CDF5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2976181284-0
                                                                                                                                                                  • Opcode ID: 0af088d07c5e9b5a66b5e22e0931705f94c426e6b0292fcf303bea830e5f1f74
                                                                                                                                                                  • Instruction ID: 056746620e1e5b2230fb06e89194d4bad5ac0bf9516e57b03a2b19a767fcc837
                                                                                                                                                                  • Opcode Fuzzy Hash: 0af088d07c5e9b5a66b5e22e0931705f94c426e6b0292fcf303bea830e5f1f74
                                                                                                                                                                  • Instruction Fuzzy Hash: 62012632614119AFCF058F59CC49D9E3F2AEF89320F24020AF811AB2D0EA75ED41DBD4
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405D90 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00405D9E
                                                                                                                                                                    • Part of subcall function 0042C80A: FindNextFileW.KERNELBASE(?,?,?,00405DA3,?,?), ref: 0042C813
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00405DB7
                                                                                                                                                                    • Part of subcall function 0042C80A: GetLastError.KERNEL32(?,00405DA3,?,?), ref: 0042C821
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_fs_directory_iterator_advance@8$ErrorFileFindLastNext
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1771861590-0
                                                                                                                                                                  • Opcode ID: eb254d40bdae5997d1b915ee938d47a4925237b4d84c79f510e65dea7e6ef008
                                                                                                                                                                  • Instruction ID: 0108473d78f0f304d06e31c26ecc01ded597c2f8cb716c03f48c3c202a603d91
                                                                                                                                                                  • Opcode Fuzzy Hash: eb254d40bdae5997d1b915ee938d47a4925237b4d84c79f510e65dea7e6ef008
                                                                                                                                                                  • Instruction Fuzzy Hash: 02E09232200A212299503513AD055EFAB5EEE913A4740403BFA05A7781EB38EC1285E9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004458AA Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,0044C3D9,?,00000000,?,?,0044C67A,?,00000007,?,?,0044CB6E,?,?), ref: 004458C0
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0044C3D9,?,00000000,?,?,0044C67A,?,00000007,?,?,0044CB6E,?,?), ref: 004458CB
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 485612231-0
                                                                                                                                                                  • Opcode ID: faeb12ccb0e26dc965f9d80f3c1b711b705900c11bc95a42bd6c0ce8c2310291
                                                                                                                                                                  • Instruction ID: 23237336ed7649a93a226213d1d5fd37ccb1674bfa2126fe5f49bd5de7ec7b5d
                                                                                                                                                                  • Opcode Fuzzy Hash: faeb12ccb0e26dc965f9d80f3c1b711b705900c11bc95a42bd6c0ce8c2310291
                                                                                                                                                                  • Instruction Fuzzy Hash: 75E086315006146BDB113FB9EC0DBAA3BA8EB44355F519026F709D7161CF788854D7C8
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D1860 Relevance: 2.0, APIs: 1, Instructions: 549fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DeleteFileA.KERNELBASE(?), ref: 004D1911
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DeleteFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 4033686569-0
                                                                                                                                                                  • Opcode ID: a0a35e922f4f0a70ad5e3bab5b3892ac09c1540c5f8475580bdb878dc4288fc7
                                                                                                                                                                  • Instruction ID: 595fb68b70b26d2d20b0dfc54c8cde64091a38ddc6938181b846cdeea2eef5ff
                                                                                                                                                                  • Opcode Fuzzy Hash: a0a35e922f4f0a70ad5e3bab5b3892ac09c1540c5f8475580bdb878dc4288fc7
                                                                                                                                                                  • Instruction Fuzzy Hash: 3C22C1B0D002099FCB14DFA8D995BAEBBB1FF48304F14825EE805AB352D734AA45CF95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00425390 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004254A7
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Concurrency::cancel_current_task
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 118556049-0
                                                                                                                                                                  • Opcode ID: 6463476b976481346b0f1093190228b31a5fd325bfddd8a922556d8987916ca0
                                                                                                                                                                  • Instruction ID: c4b725e649f7e58322d65e55cd69c4218f7731d497adffb4160b667c7d72a65a
                                                                                                                                                                  • Opcode Fuzzy Hash: 6463476b976481346b0f1093190228b31a5fd325bfddd8a922556d8987916ca0
                                                                                                                                                                  • Instruction Fuzzy Hash: D7810372700515AFC708EF38E98597EB7A9EF443207A4832EE819C7385EA34EE55C794
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004119D0 Relevance: 1.7, APIs: 1, Instructions: 232COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00411CA5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Concurrency::cancel_current_task
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 118556049-0
                                                                                                                                                                  • Opcode ID: aabfa15b1065b528361af71ed1f78f970e6589b199b2026b60074c120a1ed7d3
                                                                                                                                                                  • Instruction ID: a9115b42fecf8998d40f26f04e050bc50794b9bc8bc91804c339519e047c10bd
                                                                                                                                                                  • Opcode Fuzzy Hash: aabfa15b1065b528361af71ed1f78f970e6589b199b2026b60074c120a1ed7d3
                                                                                                                                                                  • Instruction Fuzzy Hash: 86A13AB0900215DFDB04CF69C580B99FBF0BF09314F28C1AEE549AB352E779A985CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F3550 Relevance: 1.7, APIs: 1, Instructions: 170COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                  • Opcode ID: 94468eb9081900363dfd662bc71926861537d4ac9132e76e5d5add44549b5d1d
                                                                                                                                                                  • Instruction ID: 32bcb13d06159bcbf1e711c284ff9f9cb594162b32a10293023583a718d1283d
                                                                                                                                                                  • Opcode Fuzzy Hash: 94468eb9081900363dfd662bc71926861537d4ac9132e76e5d5add44549b5d1d
                                                                                                                                                                  • Instruction Fuzzy Hash: 8C51A1B0D002099FDB14DF59D981BAEFBB0FF49704F14825EE8046B342D7799A41CB95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F3350 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                  • Opcode ID: b69ec9a415716678f392a8959026dd82b3597fb433f0346b2d751f9f8bbfdb4e
                                                                                                                                                                  • Instruction ID: 6ce4f48939319f72f3aec6a6d9b50e6fff9bcb1e6f6dae555552d8831335830b
                                                                                                                                                                  • Opcode Fuzzy Hash: b69ec9a415716678f392a8959026dd82b3597fb433f0346b2d751f9f8bbfdb4e
                                                                                                                                                                  • Instruction Fuzzy Hash: 2551A0B0D002099FDB14DF59D981BAEFBB0FF49704F14825EE8146B341E779AA41CBA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F3750 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                  • Opcode ID: 1c393b77a678177202ae0a4b35ab124da8259f0f62cb0e23b0d2acb6517c6524
                                                                                                                                                                  • Instruction ID: cd4a1da141f317168313a104556b472c5763c058f69814c45053fc560e84e052
                                                                                                                                                                  • Opcode Fuzzy Hash: 1c393b77a678177202ae0a4b35ab124da8259f0f62cb0e23b0d2acb6517c6524
                                                                                                                                                                  • Instruction Fuzzy Hash: 6A5180B0D002099BDB24DF59D982BAEFBF0FF44714F14061EE5416B341D779AA44CBA6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405AD0 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00405BB1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_fs_directory_iterator_open@12
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 29801545-0
                                                                                                                                                                  • Opcode ID: f696d6151f309be9193cc7c85e873ba70de42943ce5765209a9c4d3a5a8c60fc
                                                                                                                                                                  • Instruction ID: d5a1cf4f232f5c6ac5430c54351a6ee74597bd081f23ad9fa31e924e3bde2b96
                                                                                                                                                                  • Opcode Fuzzy Hash: f696d6151f309be9193cc7c85e873ba70de42943ce5765209a9c4d3a5a8c60fc
                                                                                                                                                                  • Instruction Fuzzy Hash: 8741CF72E146049BDB18DF49D8817AEB7B4FB84320F14466AEC11637C1EB397D50CA95
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408980 Relevance: 1.6, APIs: 1, Instructions: 108libraryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryA.KERNEL32(?,00000000), ref: 00408A31
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                  • Opcode ID: e778ac258585310e7fe4938e31092008cd6e18a3a51d75130e0cc209c0f13ca7
                                                                                                                                                                  • Instruction ID: d2c8f323ac81831e6b5d26602da7a52bd27c9e45b28783f3ac091e4753249403
                                                                                                                                                                  • Opcode Fuzzy Hash: e778ac258585310e7fe4938e31092008cd6e18a3a51d75130e0cc209c0f13ca7
                                                                                                                                                                  • Instruction Fuzzy Hash: DD514AB8D05218EBDB14CF98DA90ADDFBB1BB48350F2081AAD849B7340DB306B84DF55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0041A1C0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0041A23C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Concurrency::cancel_current_task
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 118556049-0
                                                                                                                                                                  • Opcode ID: 2c84c2b0e743d94a5817f271001594ec1067e0da77e27549a2bd472c2b57b4ad
                                                                                                                                                                  • Instruction ID: 860ce97b332fb9d1e031327c07cea4d064aa7b2201825034e64e2daf926a64eb
                                                                                                                                                                  • Opcode Fuzzy Hash: 2c84c2b0e743d94a5817f271001594ec1067e0da77e27549a2bd472c2b57b4ad
                                                                                                                                                                  • Instruction Fuzzy Hash: 5A018572A010205F9B10AFA9CD828AB3798CF49354701427BF906CB342D639EDA483EF
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0044550F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __wsopen_s
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3347428461-0
                                                                                                                                                                  • Opcode ID: 74b1a02970c39c47b45041c200990e685aac7fc35223ed5dd6a5c291d0407c3c
                                                                                                                                                                  • Instruction ID: e92d0ab7a98c68cd7689e4ea664d55cb742e11440dbe97f573872f5ababe4450
                                                                                                                                                                  • Opcode Fuzzy Hash: 74b1a02970c39c47b45041c200990e685aac7fc35223ed5dd6a5c291d0407c3c
                                                                                                                                                                  • Instruction Fuzzy Hash: D6112A71A0410AAFDF05DF58E94199F7BF5EF48304F14405AF805EB352D670DA15CB69
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004036F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0040373F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Concurrency::cancel_current_task
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 118556049-0
                                                                                                                                                                  • Opcode ID: 12c324e41fe382e8fe9a14f23e64098c2d41453202b30a4ddcfc1465a6711afe
                                                                                                                                                                  • Instruction ID: 1f83190ccb7284a945d627c352a8af0deec80e54417847a9b28e6d6de5687d5d
                                                                                                                                                                  • Opcode Fuzzy Hash: 12c324e41fe382e8fe9a14f23e64098c2d41453202b30a4ddcfc1465a6711afe
                                                                                                                                                                  • Instruction Fuzzy Hash: F6F024F26000009BCB14AF61E4429FAB7ECDE243A7750447FF989D7282E73EDA448788
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00444EEA Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,0042C58A,00417EFF,?,00444870,00000001,00000364,00417EFF,00000008,000000FF,?,0042F3CF,00417EFD,00417EFB,?,?), ref: 00444F2B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                  • Opcode ID: a67815bf3a869f96681a983d491eb3b40caf69aff6fa6519728d0dfc96a736c8
                                                                                                                                                                  • Instruction ID: 086544c5e523b8e02c2757f3417cf7e9bd7439c420b709eac9e7cfb6d4d974b4
                                                                                                                                                                  • Opcode Fuzzy Hash: a67815bf3a869f96681a983d491eb3b40caf69aff6fa6519728d0dfc96a736c8
                                                                                                                                                                  • Instruction Fuzzy Hash: CEF0B4316155246BBB215E629C05B7B7788ABD17A1F158417FD04E7280CE38D80886E9
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004F1F00 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetupDiGetClassDevsA.SETUPAPI(00562560,00000000,00000000,00000012), ref: 004F1F17
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ClassDevsSetup
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2330331845-0
                                                                                                                                                                  • Opcode ID: bdd51cae4c084c57fcc4901e949a17f5d6d576fa70ecaa2978942f43ecf13d9a
                                                                                                                                                                  • Instruction ID: bee270daeaff66964e48d3d321f2ef6a0a83fe545a7604eea2b81030ab9a0a7d
                                                                                                                                                                  • Opcode Fuzzy Hash: bdd51cae4c084c57fcc4901e949a17f5d6d576fa70ecaa2978942f43ecf13d9a
                                                                                                                                                                  • Instruction Fuzzy Hash: E4F0E970B1071857D3309F28AC05357BBE49B51B14F10075EF5458B3C1E7F5699853D6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00445924 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00417EFF,00417EFB,?,0042F3CF,00417EFD,00417EFB,?,?,?,0040390D,0042C58A,00417EFF,00417EFB,0042C58A), ref: 00445956
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                  • Opcode ID: f2b14cbab143d06f1f7f7dbb6931a5cb890e65deebc000058d543e0d14a0fef9
                                                                                                                                                                  • Instruction ID: 47241cb67a9c7b30d4e0b830f1b418076ccf533a730137c1b779a77b3e9f7ccf
                                                                                                                                                                  • Opcode Fuzzy Hash: f2b14cbab143d06f1f7f7dbb6931a5cb890e65deebc000058d543e0d14a0fef9
                                                                                                                                                                  • Instruction Fuzzy Hash: 1CE0E571202A20EBFE252F265C0576B3648DB413B0F080113FD05F6292DB68CC0482ED
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00405AA0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00405AB3
                                                                                                                                                                    • Part of subcall function 0042C80A: FindNextFileW.KERNELBASE(?,?,?,00405DA3,?,?), ref: 0042C813
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3878998205-0
                                                                                                                                                                  • Opcode ID: 81b8d4adac4151a37c88ea3531144291c0ed1dde65bf57112f3d275560818ac6
                                                                                                                                                                  • Instruction ID: f6ea285aba16a13ea3ec76640246895ff5761922bd5c6c82d3b00af4906e1a90
                                                                                                                                                                  • Opcode Fuzzy Hash: 81b8d4adac4151a37c88ea3531144291c0ed1dde65bf57112f3d275560818ac6
                                                                                                                                                                  • Instruction Fuzzy Hash: BED0A721300930115E65712738405FF4A5ACED2778B04017FB904F33C2EA2C4C038CED
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00440F65 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: H_prolog3
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 431132790-0
                                                                                                                                                                  • Opcode ID: 6a1e62305c3acb8e5222b1c12e093a7fef9c21457bd0ab900d0622aaa7e19f4a
                                                                                                                                                                  • Instruction ID: aff0934107e9bc2afc1ed01947bee51e3b082187fcc3c1abf97fb91d30d5be1b
                                                                                                                                                                  • Opcode Fuzzy Hash: 6a1e62305c3acb8e5222b1c12e093a7fef9c21457bd0ab900d0622aaa7e19f4a
                                                                                                                                                                  • Instruction Fuzzy Hash: 95E09A72D0020D9ADB00DFD5D456BEFBBB8AB08314F50416BA605E7181EB785748CBE5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0043D21C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043D239
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                  • Opcode ID: a91d23867b62d5b96c41623edd2e8bd3ad87182c46de236b94739b51406d3068
                                                                                                                                                                  • Instruction ID: 7ae74b51c889a2cb05e6a06522f477e8d6926b4a8c7f3733491aa3a38d366a2c
                                                                                                                                                                  • Opcode Fuzzy Hash: a91d23867b62d5b96c41623edd2e8bd3ad87182c46de236b94739b51406d3068
                                                                                                                                                                  • Instruction Fuzzy Hash: 92D06C3200010DBBDF028F84DC06EDA3BAAFB4C714F014040FA1866120C772E822EB90
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00408FE1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNELBASE(6C210000), ref: 00408FF3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                  • Opcode ID: e1b8b5312981e26a60b0176e6b126c99adc267963dcf4990b13cab83b377898a
                                                                                                                                                                  • Instruction ID: 490db17b99ce191f58a9b4e04f03cf5ce589e7a007bfd414fe16c1c7cc511007
                                                                                                                                                                  • Opcode Fuzzy Hash: e1b8b5312981e26a60b0176e6b126c99adc267963dcf4990b13cab83b377898a
                                                                                                                                                                  • Instruction Fuzzy Hash: 23C012680082C29BCB0693358848365AE00AF23218F8804AE8880A66D3CDA94008DB15
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D2040 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,00458D52), ref: 004D2093
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                  • Opcode ID: 83f2b2eca9ec0b48552a48ca10ae59a4487ce3495c761ca9039c3b03c55a5e39
                                                                                                                                                                  • Instruction ID: 5725677e75a6ac36c440eb726a8cd5388f75a9debdf55df4042df7e65aebbe00
                                                                                                                                                                  • Opcode Fuzzy Hash: 83f2b2eca9ec0b48552a48ca10ae59a4487ce3495c761ca9039c3b03c55a5e39
                                                                                                                                                                  • Instruction Fuzzy Hash: 20F0E221A0025016EA22B2792D0673A3F85A7A6724F48018BEF423B7D2DAD82D0983D6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D20B0 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNELBASE(00000065), ref: 004D2103
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                  • Opcode ID: 35fb44faf0a8fc100d841d81db4c77c8e28ab7600db3ad407436fbe4614108cb
                                                                                                                                                                  • Instruction ID: 16727208b5f08e4bea599353fbf53a6d413f31fbfb73884cdf8f34aab55cbcc4
                                                                                                                                                                  • Opcode Fuzzy Hash: 35fb44faf0a8fc100d841d81db4c77c8e28ab7600db3ad407436fbe4614108cb
                                                                                                                                                                  • Instruction Fuzzy Hash: B8F0A731B0025416EA26736D7E06B3B3F8997A5765F48009FEE403BBD2DDD9280987D6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D2120 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNELBASE(00000065,?,?,?,?,?,?,?,?,?,?,?,00458D4D), ref: 004D2173
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                  • Opcode ID: cb4445f8f23e35d184d7bbbb276354b3f66d002ad20050ef745446d9cc5894b3
                                                                                                                                                                  • Instruction ID: 90a6c49b21b0fd82ae87a0f264113b7d17b526517561dc18198510732a1b952e
                                                                                                                                                                  • Opcode Fuzzy Hash: cb4445f8f23e35d184d7bbbb276354b3f66d002ad20050ef745446d9cc5894b3
                                                                                                                                                                  • Instruction Fuzzy Hash: 53F0E225A0024016EA21B26D2D07B3B3FA587E5724F48008BEE403B7E2E998690D93D6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D1F60 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNELBASE(00000065), ref: 004D1FB3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                  • Opcode ID: 8cc8233da0b4eadc4345afef26914da44cd989e3a36f9e64d21921473576aba7
                                                                                                                                                                  • Instruction ID: 96813e4978320da69047605bdc5ebc2db0ede144c46c0996891fef61e0d73129
                                                                                                                                                                  • Opcode Fuzzy Hash: 8cc8233da0b4eadc4345afef26914da44cd989e3a36f9e64d21921473576aba7
                                                                                                                                                                  • Instruction Fuzzy Hash: F1F02731B0425026EA25736D7D06B3A3F858795724F48018FED002BBE3DE99280987D7
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004D1FD0 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,00458D57), ref: 004D2023
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                  • Opcode ID: 023d8daf2c2feeef625063db40c37107e19a346fd89d2fc77cc72de507247420
                                                                                                                                                                  • Instruction ID: 649beb9cb224a865d551f479db4d9118ca68f30c140776fc94dbe4ded046f890
                                                                                                                                                                  • Opcode Fuzzy Hash: 023d8daf2c2feeef625063db40c37107e19a346fd89d2fc77cc72de507247420
                                                                                                                                                                  • Instruction Fuzzy Hash: 76F0E921A4224016DA2272693D067363F8587A5764F04104FEF00377D2D9D42809C7D6
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Function 004F2150 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 154windowfileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GdiplusStartup.GDIPLUS(?,0045A92C,00000000,7FFFFFFF,?), ref: 004F2189
                                                                                                                                                                  • GetSystemMetrics.USER32(00000001), ref: 004F219F
                                                                                                                                                                  • GetSystemMetrics.USER32(00000000), ref: 004F21A5
                                                                                                                                                                  • GetDC.USER32(00000000), ref: 004F21AB
                                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 004F21BF
                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 004F21D3
                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 004F21E8
                                                                                                                                                                  • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 004F2201
                                                                                                                                                                  • GdipCreateBitmapFromHBITMAP.GDIPLUS(00584418,00000000,00000000), ref: 004F2217
                                                                                                                                                                  • GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 004F2233
                                                                                                                                                                  • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 004F225A
                                                                                                                                                                  • GdipSaveImageToFile.GDIPLUS(00000000,6F2977B7,?,?), ref: 004F22FD
                                                                                                                                                                  • DeleteObject.GDI32(00584418), ref: 004F2306
                                                                                                                                                                  • GdipDisposeImage.GDIPLUS(00000000), ref: 004F230D
                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004F2316
                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 004F231F
                                                                                                                                                                  • GdiplusShutdown.GDIPLUS(?), ref: 004F2328
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Gdip$Image$CreateObject$BitmapCompatibleDeleteEncodersGdiplusMetricsSystem$DisposeFileFromReleaseSaveSelectShutdownSizeStartup
                                                                                                                                                                  • String ID: image/png
                                                                                                                                                                  • API String ID: 258367123-2966254431
                                                                                                                                                                  • Opcode ID: fb1bbdcbdec57114dd12a1ee1549e3a4fa01625a0ff2eb2c6bcf6a3c4bb0fd9d
                                                                                                                                                                  • Instruction ID: db5a99caf6ac0e95f343f652cfce475829ccb6d2aa326760d5af157a7b9552c8
                                                                                                                                                                  • Opcode Fuzzy Hash: fb1bbdcbdec57114dd12a1ee1549e3a4fa01625a0ff2eb2c6bcf6a3c4bb0fd9d
                                                                                                                                                                  • Instruction Fuzzy Hash: C8516D71D00209AFDF109FA4DD49BEEBBB8FF18314F100065EA05B72A1D7B99948DB64
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0044F050 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __floor_pentium4
                                                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                                                                                  • Opcode ID: da9375122c7f38aef1b98b42bf48e098612be30453a2df058743415e8865b902
                                                                                                                                                                  • Instruction ID: 19b2b9832e91dc5334225f28d461ebb5f9cd7fa0aaab348ffad5a30d2ce72a94
                                                                                                                                                                  • Opcode Fuzzy Hash: da9375122c7f38aef1b98b42bf48e098612be30453a2df058743415e8865b902
                                                                                                                                                                  • Instruction Fuzzy Hash: 0FD23971E086288FDB64CE28DD447EAB7B5EB45305F1401EBD80DE7241EB78AE898F45
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004E2080 Relevance: 4.7, APIs: 3, Instructions: 219COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 004E20A0
                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000015), ref: 004E20AC
                                                                                                                                                                  • GetVolumeInformationA.KERNEL32(?,?,00000105,?,?,?,?,00000105), ref: 004E215F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Present$DebuggerFeatureInformationProcessorVolume
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3535182753-0
                                                                                                                                                                  • Opcode ID: 623aa9994b68ff213dbe910c545f283b358e46525878ba29fffe8422486bf1ad
                                                                                                                                                                  • Instruction ID: afbfdc60606ab1e9c61f519775a33832b97aa9882633c04701562a7ea04b081c
                                                                                                                                                                  • Opcode Fuzzy Hash: 623aa9994b68ff213dbe910c545f283b358e46525878ba29fffe8422486bf1ad
                                                                                                                                                                  • Instruction Fuzzy Hash: C0B103B8D0424CEBCB25CFA5DA81AEDBBB5BF19304F2441DAD885AB341EB315A44DF44
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00553170 Relevance: 3.5, APIs: 2, Instructions: 465COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00553513
                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00553571
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 885266447-0
                                                                                                                                                                  • Opcode ID: d6ef0b778412603ae4375fe8f4b2b868cc24e55a123d3fdd18dfd41b4726deb8
                                                                                                                                                                  • Instruction ID: 3fbf31a8c3cdee1091fcfc22b4047fc9f3449861c1a85ea422063c13361c5e55
                                                                                                                                                                  • Opcode Fuzzy Hash: d6ef0b778412603ae4375fe8f4b2b868cc24e55a123d3fdd18dfd41b4726deb8
                                                                                                                                                                  • Instruction Fuzzy Hash: 7802F571E006598BCF19CF6DD8A42BDFFB1BF85351F1982ABE859AB281DB704A44C740
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004FA050 Relevance: 3.2, APIs: 2, Instructions: 220networkCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • InternetCloseHandle.WININET(?), ref: 004FA262
                                                                                                                                                                  • InternetCloseHandle.WININET(?), ref: 004FA271
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandleInternet
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1081599783-0
                                                                                                                                                                  • Opcode ID: fd654fbc9e612cb654ed9e4d8faceb9001d45f40f054eec1f6580af07df3ed4c
                                                                                                                                                                  • Instruction ID: f9047d7434dced4cf20933e84560d58d69618fbb45727c1a51f3fb53e9aaca21
                                                                                                                                                                  • Opcode Fuzzy Hash: fd654fbc9e612cb654ed9e4d8faceb9001d45f40f054eec1f6580af07df3ed4c
                                                                                                                                                                  • Instruction Fuzzy Hash: 1B814DB5E042099BDF18CF99DD81ABEBBB5FF88310F14812AE905B7340DB359911CBA5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004FB0A0 Relevance: .8, Instructions: 763COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
                                                                                                                                                                  • Instruction ID: f66ee135833696fdc7097fc137d742b9d11648fb3e57faaf4428e0af157d3001
                                                                                                                                                                  • Opcode Fuzzy Hash: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
                                                                                                                                                                  • Instruction Fuzzy Hash: 653274B3F5161447DF1CCA6ECC922EDB2E36FD821871E813DE80AE3345EA79E9454684
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00510140 Relevance: .7, Instructions: 660COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1f2036eef49e5e85395cc8371fabf856195ee32ae0729c8c85f023195ba78ab1
                                                                                                                                                                  • Instruction ID: 7734e3287553b3d74106f6f7eb9ccba05eed1c215cdc5eb9b880f13b62f88aab
                                                                                                                                                                  • Opcode Fuzzy Hash: 1f2036eef49e5e85395cc8371fabf856195ee32ae0729c8c85f023195ba78ab1
                                                                                                                                                                  • Instruction Fuzzy Hash: 65428D75A043418FE714CF28C480B5ABBE1BFC8314F149A6DE9999B395D7B1E8C5CB82
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 0042A040 Relevance: .4, Instructions: 394COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: fbfdc33d2fdc3bee5cddbea4ce36b5624ba5c86133e9e197b308071150bd34ce
                                                                                                                                                                  • Instruction ID: e176e8c39fa0001ffa0331148fc1a1e597aad8ea40cb8f55bb963474ee5d0d66
                                                                                                                                                                  • Opcode Fuzzy Hash: fbfdc33d2fdc3bee5cddbea4ce36b5624ba5c86133e9e197b308071150bd34ce
                                                                                                                                                                  • Instruction Fuzzy Hash: BEE1F372F1022A8FCB05CFA8D8816ADFBF1AF88324F5941AAD815B7340D774A955CB94
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004FC0A0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 142b9e497edc779feb926e324d820a004adefa17f44103fd404662cc1c40eab9
                                                                                                                                                                  • Instruction ID: 38e074bbf3e805e58539ca8d739cae2271b6a1961dda6b795eee354daaa2981f
                                                                                                                                                                  • Opcode Fuzzy Hash: 142b9e497edc779feb926e324d820a004adefa17f44103fd404662cc1c40eab9
                                                                                                                                                                  • Instruction Fuzzy Hash: 2361DA316201A84FE748DF5EFCC0476B361E3AE301789461AEA81CB395C675F56AE7E0
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 005040A0 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 1584348cf9e3f3be4a9b24cc4e2ffe07feb8b558a8eaef0232f41b95094aa3e0
                                                                                                                                                                  • Instruction ID: 7211d50b4de8a7ebd746b1f7ef274bdd41a532539b5b6ed0c87081a493a79e19
                                                                                                                                                                  • Opcode Fuzzy Hash: 1584348cf9e3f3be4a9b24cc4e2ffe07feb8b558a8eaef0232f41b95094aa3e0
                                                                                                                                                                  • Instruction Fuzzy Hash: 19312972B80708AEDB209E69CC40BCDBF96EF45211F04C559FD9C9B750C271E259C7A0
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 004220F3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 379COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422A7B
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422A94
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                  • String ID: $array$number overflow parsing '
                                                                                                                                                                  • API String ID: 4194217158-1444002993
                                                                                                                                                                  • Opcode ID: 480f1ea474107f71b778f3c842a5369ced5b9b406927fb042976458005920f2e
                                                                                                                                                                  • Instruction ID: b9be30596a158e5ed89902264b7fe79a610ddcfe29da18a95ce0fa7f3111436e
                                                                                                                                                                  • Opcode Fuzzy Hash: 480f1ea474107f71b778f3c842a5369ced5b9b406927fb042976458005920f2e
                                                                                                                                                                  • Instruction Fuzzy Hash: 5EF11070D002599FCB14CFA0D984BEEFBB4BF15304F54829EE44977242DB78AA89CB65
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00432056 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 303COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___TypeMatch.LIBVCRUNTIME ref: 00432283
                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 004323D5
                                                                                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 004323F0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwind
                                                                                                                                                                  • String ID: L;V$csm$csm$csm
                                                                                                                                                                  • API String ID: 3456342781-3339109018
                                                                                                                                                                  • Opcode ID: f219870799de8bf8d93d667d8b8260d42bea9e02fac3f36c4a5e93c416ed644d
                                                                                                                                                                  • Instruction ID: 1a3b2e3aada59ff5ba11aad393d6dbbfac41e5171332123353ed96db4a75ae81
                                                                                                                                                                  • Opcode Fuzzy Hash: f219870799de8bf8d93d667d8b8260d42bea9e02fac3f36c4a5e93c416ed644d
                                                                                                                                                                  • Instruction Fuzzy Hash: 81B19971800219EFCF18DFA5CA819AFBBB5FF08314F14605BE9106B252D7B8DA51CB99
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00422032 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                  • String ID: $array
                                                                                                                                                                  • API String ID: 4194217158-2848110696
                                                                                                                                                                  • Opcode ID: 3d6bbb5eeb9172bfa257f394eb500065afff9989a7f434fa6634e6c51bf1637d
                                                                                                                                                                  • Instruction ID: 609c5a3700c6786cab836529116566ed5d02bc52a958d6c1bc70f00cba6690f6
                                                                                                                                                                  • Opcode Fuzzy Hash: 3d6bbb5eeb9172bfa257f394eb500065afff9989a7f434fa6634e6c51bf1637d
                                                                                                                                                                  • Instruction Fuzzy Hash: 7961B370E00259EFCB14DFA4D990BEEBBB4FF15304F50416ED406A7241EB78AA89CB55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00407080 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004071FE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_copy
                                                                                                                                                                  • String ID: 0f@$0f@$ange
                                                                                                                                                                  • API String ID: 2659868963-373280750
                                                                                                                                                                  • Opcode ID: ffe6436ea23728eaf55144815bccbff6b30d1088563154c710925e0334a587d5
                                                                                                                                                                  • Instruction ID: 288f119f4ccb4c7cf0b8972ea0ca9e4329cc491e57a4aee3b53e0c7375ef9e73
                                                                                                                                                                  • Opcode Fuzzy Hash: ffe6436ea23728eaf55144815bccbff6b30d1088563154c710925e0334a587d5
                                                                                                                                                                  • Instruction Fuzzy Hash: 3E51F371D002449BDB18CFA8DC847ADBBB0FF85304F24836EE4157B391E7B8A9848B55
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00414160 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0041417F
                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004141A6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_exception_copy
                                                                                                                                                                  • String ID: 0f@$0f@
                                                                                                                                                                  • API String ID: 2659868963-4245790314
                                                                                                                                                                  • Opcode ID: a0ec767d29c154d107e2924c90945eb70bd3bcc0216d37c8e4efd4af5cc58e06
                                                                                                                                                                  • Instruction ID: a7d6c344e60e7f18edcee1d7e68ac694af1bcf80748ebca3b88f48a52b3fdaf1
                                                                                                                                                                  • Opcode Fuzzy Hash: a0ec767d29c154d107e2924c90945eb70bd3bcc0216d37c8e4efd4af5cc58e06
                                                                                                                                                                  • Instruction Fuzzy Hash: 53F0FFB6910B16AB8751DFA6D440882FBFCFE55310750872BA51597A00F7B4F5588BA0
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00490040 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationthreadCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00490044
                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 0049004C
                                                                                                                                                                  • SetEvent.KERNEL32 ref: 00490069
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 00490077
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Current$EventObjectProcessSingleThreadWait
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 977356572-0
                                                                                                                                                                  • Opcode ID: 07ad26c9a8193a9c403b999b7260b6d74736513c4a61b8b242bc8500957e93da
                                                                                                                                                                  • Instruction ID: 68696a4330ff011d049e89e8b4814e5f18df6cd1e962ac77584aedc126b31ea8
                                                                                                                                                                  • Opcode Fuzzy Hash: 07ad26c9a8193a9c403b999b7260b6d74736513c4a61b8b242bc8500957e93da
                                                                                                                                                                  • Instruction Fuzzy Hash: CCE0467104A615EFCB049F68EC0C865BFA5FB297717408222FC09977B0DB708888EF80
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                  Function 00406140 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___std_fs_get_full_path_name@12.LIBCPMT ref: 004061F2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000000.00000002.2410994426.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_ygm2mXUReY.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ___std_fs_get_full_path_name@12
                                                                                                                                                                  • String ID: absolute$h<W
                                                                                                                                                                  • API String ID: 319883303-1227054036
                                                                                                                                                                  • Opcode ID: fc19779bb5a5af7582c79339770b481127d2738d3652d52236bc829e3857b7da
                                                                                                                                                                  • Instruction ID: a39a9e8cd5e7c649dec9d62c81c2f08022a5113abdb27f993b439c29f203247c
                                                                                                                                                                  • Opcode Fuzzy Hash: fc19779bb5a5af7582c79339770b481127d2738d3652d52236bc829e3857b7da
                                                                                                                                                                  • Instruction Fuzzy Hash: C651AEB0E00315ABDB14DF58C9047AABBF4FF48314F10466EE815A7380D775A950CBE5
                                                                                                                                                                  Uniqueness

                                                                                                                                                                  Uniqueness Score: -1.00%