Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1430607
MD5:	6a1ca153932a4d9b645a9cf47f30da65
SHA1:	4e59a3754135f887a717b238b8bfa89e9870a1cd
SHA256:	16861e3d14a7275bc7c771c361870b6d16b18321123d060de8e7b2c6071e3d6b
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 5088 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6A1CA153932A4D9B645A9CF47F30DA65)

schtasks.exe (PID: 1620 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6960 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1196 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MPGPH131.exe (PID: 7120 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6A1CA153932A4D9B645A9CF47F30DA65)

WerFault.exe (PID: 7652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1936 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MPGPH131.exe (PID: 6208 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6A1CA153932A4D9B645A9CF47F30DA65)

WerFault.exe (PID: 7644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 1900 MD5: C31336C1EFC2CCB44B4326EA793040F2)

RageMP131.exe (PID: 7276 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6A1CA153932A4D9B645A9CF47F30DA65)

RageMP131.exe (PID: 7912 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6A1CA153932A4D9B645A9CF47F30DA65)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\fOmlyjeWLzh5Tv38_jR4gFx.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\v3LvRqxzMigkZO4sGSn3NDv.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000003.1763977169.0000000005D31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000003.1763583252.0000000005D31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000003.1765470326.0000000006111000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.2019353356.000000000140E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000002.2001629494.0000000006112000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000002.2009852596.0000000005CD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000002.2009988128.0000000005D31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000002.2001491145.0000000005D79000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000003.1795771441.0000000005D31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000003.1763775648.0000000005D31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 5088	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: file.exe PID: 5088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7120	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 6208	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 6208	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7276	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7912	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 5088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 147.45.47.93

Timestamp:	04/24/24-00:06:04.246752
SID:	2049060
Source Port:	49730
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-00:06:24.994866
SID:	2046266
Source Port:	58709
Destination Port:	49750
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-00:06:07.810603
SID:	2046266
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-00:06:04.897107
SID:	2046267
Source Port:	58709
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-00:06:04.557121
SID:	2046266
Source Port:	58709
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-00:06:07.790191
SID:	2046266
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.93

Timestamp:	04/24/24-00:06:08.020801
SID:	2046269
Source Port:	49730
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-00:06:08.131790
SID:	2046267
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-00:06:16.989078
SID:	2046266
Source Port:	58709
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://193.233.132.167/cost/lenin.exe	URL Reputation: Label: malware
Source: http://193.233.132.167/cost/go.exe	Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exeliber	Avira URL Cloud: Label: malware
Source: http://147.45.47.102:57893/hera/amadka.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 21%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE3EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,		0_2_00AE3EB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008A3EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,		5_2_008A3EB0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49752 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFD2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_00AFD2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE33B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_00AE33B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB1A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,	0_2_00AB1A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B03B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_00B03B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51F8C FindClose,FindFirstFileExW,GetLastError,	0_2_00A51F8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A52012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00A52012
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_00AB13F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008BD2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	5_2_008BD2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008A33B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	5_2_008A33B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00871A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,	5_2_00871A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008C3B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	5_2_008C3B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00811F8C FindClose,FindFirstFileExW,GetLastError,	5_2_00811F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00812012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	5_2_00812012
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008713F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	5_2_008713F0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49739
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49750

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AE52A0 recv,GetCurrentProcess,

0_2_00AE52A0

Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.07S
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exee
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeot
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exeliber
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: file.exe, 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1630707894.0000000003050000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2007361488.000000000093B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1654737782.0000000001300000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1655064351.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1999696519.000000000093B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000003.1757667683.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1852149292.00000000006CB000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1839384722.0000000001170000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1921857374.00000000006CB000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/1
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/7
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/F
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=154.16.105.36
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=154.16.105.36s
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=154.16.105.36y
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/m#
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=154.16.105.36
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=154.16.105.369
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=154.16.105.36P
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=154.16.105.36w
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/#&
Source: file.exe, 00000000.00000002.2019353356.0000000001486000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013DA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1853860162.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.2019353356.000000000147A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/O0
Source: file.exe, 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1630707894.0000000003050000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2007361488.000000000093B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1654737782.0000000001300000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1655064351.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1999696519.000000000093B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000003.1757667683.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1852149292.00000000006CB000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1839384722.0000000001170000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1921857374.00000000006CB000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/o
Source: file.exe, 00000000.00000002.2019353356.0000000001486000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2019353356.000000000145F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.000000000138A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1853860162.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/154.16.105.36
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/154.16.105.36$I3
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/154.16.105.361
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/154.16.105.36O
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/154.16.105.36d
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/y8
Source: file.exe, 00000000.00000002.2019353356.0000000001486000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/154.16.105.36
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/154.16.105.36P
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/154.16.105.36p
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1751130848.0000000005FFC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1754939063.0000000005D46000.00000004.00000020.00020000.00000000.sdmp, OAknfdtzctwSHistory.5.dr, 2fkbH95MIiIVHistory.0.dr, TWdqXpwjKJgnHistory.0.dr, 3FmY8Y3VZKUdHistory.5.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: OAknfdtzctwSHistory.5.dr, 2fkbH95MIiIVHistory.0.dr, TWdqXpwjKJgnHistory.0.dr, 3FmY8Y3VZKUdHistory.5.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1751130848.0000000005FFC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1754939063.0000000005D46000.00000004.00000020.00020000.00000000.sdmp, OAknfdtzctwSHistory.5.dr, 2fkbH95MIiIVHistory.0.dr, TWdqXpwjKJgnHistory.0.dr, 3FmY8Y3VZKUdHistory.5.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: OAknfdtzctwSHistory.5.dr, 2fkbH95MIiIVHistory.0.dr, TWdqXpwjKJgnHistory.0.dr, 3FmY8Y3VZKUdHistory.5.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.7
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.0000000001267000.00000004.00000020.00020000.00000000.sdmp, v3LvRqxzMigkZO4sGSn3NDv.zip.0.dr, fOmlyjeWLzh5Tv38_jR4gFx.zip.5.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000003.1765470326.0000000006111000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2001629494.0000000006112000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT27.20130
Source: MPGPH131.exe, 00000005.00000002.2009852596.0000000005CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTF
Source: RageMP131.exe, 00000010.00000002.1923384925.0000000001267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTHi
Source: MPGPH131.exe, 00000006.00000002.2000818189.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTM
Source: file.exe, 00000000.00000002.2019353356.000000000140E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTg
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot4-3500
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botAB
Source: MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botlater
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_boto
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro0;09
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1765470326.0000000006111000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2001629494.0000000006112000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.2020444484.0000000005FC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1740799696.0000000005FC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1741411946.0000000005FC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756560629.0000000005FC9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1753729491.0000000005D15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009852596.0000000005D15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1762693267.0000000005DAF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2001491145.0000000005DAF000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MPGPH131.exe, 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/_1
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: file.exe, 00000000.00000002.2020444484.0000000005FC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1740799696.0000000005FC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1741411946.0000000005FC9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756560629.0000000005FC9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1753729491.0000000005D15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009852596.0000000005D15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1762693267.0000000005DAF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2001491145.0000000005DAF000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxp;
Source: MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/vS.

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49752 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B033A0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,73BB74A0,DeleteObject,DeleteObject,ReleaseDC,

0_2_00B033A0

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B18080	0_2_00B18080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6001D	0_2_00A6001D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB61D0	0_2_00AB61D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFD2B0	0_2_00AFD2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFC3E0	0_2_00AFC3E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFB7E0	0_2_00AFB7E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9F730	0_2_00A9F730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2B8E0	0_2_00A2B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5C8D0	0_2_00B5C8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF49B0	0_2_00AF49B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB8A80	0_2_00AB8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB1A60	0_2_00AB1A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABCBF0	0_2_00ABCBF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC7D20	0_2_00AC7D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABAEC0	0_2_00ABAEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB3ED0	0_2_00AB3ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AADF60	0_2_00AADF60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B640A0	0_2_00B640A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B520C0	0_2_00B520C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A57190	0_2_00A57190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC1130	0_2_00AC1130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA2100	0_2_00AA2100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B63160	0_2_00B63160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5F280	0_2_00B5F280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B10350	0_2_00B10350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6035F	0_2_00A6035F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4F570	0_2_00A4F570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A747AD	0_2_00A747AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5A918	0_2_00A5A918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5C950	0_2_00A5C950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B64AE0	0_2_00B64AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6DA74	0_2_00A6DA74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B65A40	0_2_00B65A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A78BA0	0_2_00A78BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB0BA0	0_2_00AB0BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B04B90	0_2_00B04B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A78E20	0_2_00A78E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC1E40	0_2_00AC1E40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0BFC0	0_2_00B0BFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0CFC0	0_2_00B0CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008D8080	5_2_008D8080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0082001D	5_2_0082001D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008761D0	5_2_008761D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008BD2B0	5_2_008BD2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008BC3E0	5_2_008BC3E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008BB7E0	5_2_008BB7E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0085F730	5_2_0085F730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0091C8D0	5_2_0091C8D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007EB8E0	5_2_007EB8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008B49B0	5_2_008B49B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00878A80	5_2_00878A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00871A60	5_2_00871A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0087CBF0	5_2_0087CBF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00887D20	5_2_00887D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0087AEC0	5_2_0087AEC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00873ED0	5_2_00873ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0086DF60	5_2_0086DF60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_009240A0	5_2_009240A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_009120C0	5_2_009120C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00817190	5_2_00817190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00862100	5_2_00862100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00881130	5_2_00881130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00923160	5_2_00923160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0091F280	5_2_0091F280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0082035F	5_2_0082035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008D0350	5_2_008D0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0080F570	5_2_0080F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008347AD	5_2_008347AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0081A918	5_2_0081A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0081C950	5_2_0081C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00924AE0	5_2_00924AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00925A40	5_2_00925A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0082DA74	5_2_0082DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008C4B90	5_2_008C4B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00838BA0	5_2_00838BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00870BA0	5_2_00870BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00838E20	5_2_00838E20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00881E40	5_2_00881E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008CBFC0	5_2_008CBFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008CCFC0	5_2_008CCFC0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A3ACE0 appears 86 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 007FACE0 appears 86 times

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 1900

Source: RageMP131.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: MPGPH131.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: file.exe	Static PE information: Number of sections : 12 > 10

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.1630779061.0000000003050000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe, 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994570389243614
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9971393623737373
Source: file.exe	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: file.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9994570389243614
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9971393623737373
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: RageMP131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9994570389243614
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9971393623737373
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: MPGPH131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/60@3/3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AFD2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

0_2_00AFD2B0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7120
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5088
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6208

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1630707894.0000000003050000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2007361488.000000000093B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1654737782.0000000001300000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1655064351.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1999696519.000000000093B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000003.1757667683.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1852149292.00000000006CB000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1839384722.0000000001170000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1921857374.00000000006CB000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1630707894.0000000003050000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2007361488.000000000093B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1654737782.0000000001300000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1655064351.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1999696519.000000000093B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000003.1757667683.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1852149292.00000000006CB000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1839384722.0000000001170000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1921857374.00000000006CB000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.1743674507.00000000014F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1740701352.0000000005FDA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D34000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750427589.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750097657.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1751171148.000000000610D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752627969.000000000610F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1750908789.0000000006101000.00000004.00000020.00020000.00000000.sdmp, spvsXarvltR2Login Data For Account.5.dr, kKUZo8xfUQP6Login Data For Account.0.dr, chbVhxN5Q4oALogin Data.0.dr, aU71U5Q3u0g5Login Data.5.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 1900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1936
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1196
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static file information: File size 2187792 > 1048576

Source: file.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x174200

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AEC630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_00AEC630

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .vm_sec
Source: file.exe	Static PE information: section name: .themida
Source: file.exe	Static PE information: section name: .boot
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .vm_sec
Source: RageMP131.exe.0.dr	Static PE information: section name: .themida
Source: RageMP131.exe.0.dr	Static PE information: section name: .boot
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .vm_sec
Source: MPGPH131.exe.0.dr	Static PE information: section name: .themida
Source: MPGPH131.exe.0.dr	Static PE information: section name: .boot

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBB394 push ecx; mov dword ptr [esp], ebx	0_2_00E93DD4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBB394 push 181A61C8h; mov dword ptr [esp], ebx	0_2_00E93E0C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBB394 push ecx; mov dword ptr [esp], 48828780h	0_2_00E93E65
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A53F49 push ecx; ret	0_2_00A53F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B7B394 push ecx; mov dword ptr [esp], ebx	5_2_00C53DD4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B7B394 push 181A61C8h; mov dword ptr [esp], ebx	5_2_00C53E0C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B7B394 push ecx; mov dword ptr [esp], 48828780h	5_2_00C53E65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00813F49 push ecx; ret	5_2_00813F5C

Source: file.exe	Static PE information: section name: entropy: 7.99947787553928
Source: file.exe	Static PE information: section name: .boot entropy: 7.954910935744161
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.99947787553928
Source: RageMP131.exe.0.dr	Static PE information: section name: .boot entropy: 7.954910935744161
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.99947787553928
Source: MPGPH131.exe.0.dr	Static PE information: section name: .boot entropy: 7.954910935744161

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe	Stalling execution: Execution stalls by calling Sleep			graph_0-51905
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\file.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_0-51901

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-52005

Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6812	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6812	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6904	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6904	Thread sleep count: 71 > 30	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFD2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_00AFD2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE33B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_00AE33B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB1A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,	0_2_00AB1A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B03B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_00B03B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51F8C FindClose,FindFirstFileExW,GetLastError,	0_2_00A51F8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A52012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00A52012
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_00AB13F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008BD2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	5_2_008BD2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008A33B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	5_2_008A33B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00871A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,	5_2_00871A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008C3B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	5_2_008C3B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00811F8C FindClose,FindFirstFileExW,GetLastError,	5_2_00811F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00812012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	5_2_00812012
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008713F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	5_2_008713F0

Source: C:\Users\user\Desktop\file.exe

0_2_00AFD2B0

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: RageMP131.exe, 00000010.00000002.1923384925.0000000001260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&8
Source: MPGPH131.exe, 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}avapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE2>
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000006.00000003.1683343678.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8,
Source: MPGPH131.exe, 00000006.00000003.1683343678.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};?
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1853860162.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/>
Source: RageMP131.exe, 00000010.00000003.1855358066.00000000012C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i
Source: MPGPH131.exe, 00000006.00000002.2000818189.0000000001360000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: RageMP131.exe, 00000007.00000003.1775357904.0000000000F03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>H2
Source: file.exe, 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*e9
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MPGPH131.exe, 00000005.00000003.1683318588.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000010.00000003.1855358066.00000000012C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000007.00000002.1853860162.0000000000F15000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]FU:
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000005.00000002.2009036434.000000000138A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000006.00000002.2000818189.0000000001433000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9857824E
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000005.00000002.2009036434.0000000001419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}k
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, 00000000.00000002.2019353356.000000000145F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: MPGPH131.exe, 00000005.00000003.1683318588.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@]W
Source: MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*h\|_9"
Source: RageMP131.exe, 00000010.00000002.1923384925.00000000012B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@G0

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A58A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A58A54

Source: C:\Users\user\Desktop\file.exe

0_2_00AEC630

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE4130 mov eax, dword ptr fs:[00000030h]	0_2_00AE4130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB1A60 mov eax, dword ptr fs:[00000030h]	0_2_00AB1A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008A4130 mov eax, dword ptr fs:[00000030h]	5_2_008A4130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00871A60 mov eax, dword ptr fs:[00000030h]	5_2_00871A60

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B06E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

0_2_00B06E20

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A5450D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A58A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A58A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0081450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0081450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00818A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00818A54

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEC630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		0_2_00AEC630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_008AC630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		5_2_008AC630

Source: C:\Users\user\Desktop\file.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_00AFD2B0
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00A6B1A3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00A731B8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00A732E1
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00A733E7
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00A734BD
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00A6B726
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00A72B48
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00A72DF4
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00A72D4D
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00A72EDA
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00A72E3F
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00A72F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	5_2_008BD2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_0082B1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_008331B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_008332E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_008333E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_008334BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_0082B726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	5_2_00832B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00832DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_00832D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00832EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00832E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00832F65

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

0_2_00AFD2B0

Source: C:\Users\user\Desktop\file.exe

0_2_00AFD2B0

Source: C:\Users\user\Desktop\file.exe

0_2_00AFD2B0

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1763977169.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1763583252.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1765470326.0000000006111000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2019353356.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2001629494.0000000006112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2009852596.0000000005CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2009988128.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2001491145.0000000005D79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1795771441.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1763775648.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fOmlyjeWLzh5Tv38_jR4gFx.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v3LvRqxzMigkZO4sGSn3NDv.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsb
Source: file.exe, 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\walletsB
Source: file.exe, 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storaget
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000002.2019353356.000000000145F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: MPGPH131.exe, 00000005.00000003.1761983654.0000000005D34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6208, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1763977169.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1763583252.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1765470326.0000000006111000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2019353356.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2001629494.0000000006112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2009852596.0000000005CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2009988128.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2001491145.0000000005D79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1795771441.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1763775648.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fOmlyjeWLzh5Tv38_jR4gFx.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v3LvRqxzMigkZO4sGSn3NDv.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	13 Virtualization/Sandbox Evasion	Cached Domain Credentials	351 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	13 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	21%	ReversingLabs

Source	Detection	Scanner	Label
http://193.233.132.167/cost/lenin.exe	100%	URL Reputation	malware
http://crl.m	0%	URL Reputation	safe
http://193.233.132.167/cost/go.exe	100%	Avira URL Cloud	malware
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://193.233.132.167/cost/go.exeliber	100%	Avira URL Cloud	malware
https://t.7	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exe	100%	Avira URL Cloud	malware
http://147.45.47.102:57893/hera/amadka.exee	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exeot	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exe68.07S	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high
db-ip.com	172.67.75.166	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=154.16.105.36	false		high
https://ipinfo.io/widget/demo/154.16.105.36	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://t.me/risepro_botAB	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
https://ipinfo.io/widget/demo/154.16.105.36O	RageMP131.exe, 00000010.00000002.1923384925.00000000012BD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/y8	RageMP131.exe, 00000010.00000002.1923384925.00000000012D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.47.102:57893/hera/amadka.exe68.07S	MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.47.102:57893/hera/amadka.exe	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.microsoft.co	RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.47.102:57893/hera/amadka.exeot	MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORTg	file.exe, 00000000.00000002.2019353356.000000000140E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/1	RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/widget/demo/154.16.105.36d	RageMP131.exe, 00000007.00000002.1853860162.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.167/cost/go.exeliber	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	file.exe, 00000000.00000003.1751130848.0000000005FFC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1754939063.0000000005D46000.00000004.00000020.00020000.00000000.sdmp, OAknfdtzctwSHistory.5.dr, 2fkbH95MIiIVHistory.0.dr, TWdqXpwjKJgnHistory.0.dr, 3FmY8Y3VZKUdHistory.5.dr	false		high
https://ipinfo.io/O0	file.exe, 00000000.00000002.2019353356.000000000147A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.167/cost/go.exe	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ipinfo.io:443/widget/demo/154.16.105.36P	RageMP131.exe, 00000007.00000002.1853860162.0000000000F15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/o	MPGPH131.exe, 00000006.00000002.2000818189.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/154.16.105.36	file.exe, 00000000.00000002.2019353356.0000000001486000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORTM	MPGPH131.exe, 00000006.00000002.2000818189.0000000001367000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	OAknfdtzctwSHistory.5.dr, 2fkbH95MIiIVHistory.0.dr, TWdqXpwjKJgnHistory.0.dr, 3FmY8Y3VZKUdHistory.5.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
https://db-ip.com/7	RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botisepro_bot	MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORTF	MPGPH131.exe, 00000005.00000002.2009852596.0000000005CD0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.167/cost/lenin.exe	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ipinfo.io/#&	MPGPH131.exe, 00000006.00000002.2000818189.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/F	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORTHi	RageMP131.exe, 00000010.00000002.1923384925.0000000001267000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=154.16.105.36w	MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/154.16.105.36p	RageMP131.exe, 00000010.00000002.1923384925.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=154.16.105.36	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.7	RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
http://147.45.47.102:57893/hera/amadka.exee	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	file.exe, 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1630707894.0000000003050000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2007361488.000000000093B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1654737782.0000000001300000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1655064351.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1999696519.000000000093B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000003.1757667683.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1852149292.00000000006CB000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1839384722.0000000001170000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1921857374.00000000006CB000.00000040.00000001.01000000.00000006.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
http://upx.sf.net	Amcache.hve.12.dr	false		high
https://db-ip.com/demo/home.php?s=154.16.105.36s	RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT	RageMP131.exe, 00000007.00000002.1853860162.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.0000000001267000.00000004.00000020.00020000.00000000.sdmp, v3LvRqxzMigkZO4sGSn3NDv.zip.0.dr, fOmlyjeWLzh5Tv38_jR4gFx.zip.5.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	file.exe, 00000000.00000003.1751130848.0000000005FFC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1754939063.0000000005D46000.00000004.00000020.00020000.00000000.sdmp, OAknfdtzctwSHistory.5.dr, 2fkbH95MIiIVHistory.0.dr, TWdqXpwjKJgnHistory.0.dr, 3FmY8Y3VZKUdHistory.5.dr	false		high
https://t.me/risepro_botrisepro0;09	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
https://db-ip.com/demo/home.php?s=154.16.105.36y	RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/Mozilla/5.0	file.exe, 00000000.00000002.2019353356.0000000001486000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2009036434.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2000818189.00000000013DA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1853860162.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923384925.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
https://t.me/risepro_bot	RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.0.dr	false		high
http://crl.m	RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/widget/demo/154.16.105.361	MPGPH131.exe, 00000006.00000002.2000818189.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botlater	RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/m#	MPGPH131.exe, 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=154.16.105.36P	RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	RageMP131.exe, 00000010.00000002.1923384925.00000000012A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT27.20130	MPGPH131.exe, 00000006.00000003.1765470326.0000000006111000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2001629494.0000000006112000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.maxmind.com/en/locate-my-ip-address	file.exe, MPGPH131.exe	false		high
https://t.me/risepro_bot4-3500	file.exe, 00000000.00000002.2019353356.000000000149A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll	file.exe, 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1630707894.0000000003050000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2007361488.000000000093B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1654737782.0000000001300000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1655064351.0000000002D40000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1999696519.000000000093B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000003.1757667683.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1852149292.00000000006CB000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1839384722.0000000001170000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1921857374.00000000006CB000.00000040.00000001.01000000.00000006.sdmp	false		high
https://support.mozilla.org	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	OAknfdtzctwSHistory.5.dr, 2fkbH95MIiIVHistory.0.dr, TWdqXpwjKJgnHistory.0.dr, 3FmY8Y3VZKUdHistory.5.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1753067869.000000000601E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745912462.0000000006001000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1751234910.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1750510952.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1756986799.0000000005D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1758135110.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1752812191.0000000006137000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1754715932.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, n216lelIOnitWeb Data.0.dr, LXuFiEXG0EkqWeb Data.5.dr, CrDw0uiZyBrjWeb Data.0.dr, iLjAv5QAc_NyWeb Data.5.dr, rAZQ7hw0IO5UWeb Data.5.dr, ywWhbVJPCEiWWeb Data.0.dr	false		high
https://ipinfo.io/widget/demo/154.16.105.36$I3	RageMP131.exe, 00000007.00000002.1853860162.0000000000F15000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_boto	RageMP131.exe, 00000007.00000002.1853860162.0000000000F23000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=154.16.105.369	RageMP131.exe, 00000010.00000002.1923384925.00000000012FD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430607
Start date and time:	2024-04-24 00:05:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@14/60@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 67% Number of executed functions: 44 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
00:06:37	API Interceptor	3x Sleep call for process: WerFault.exe modified
23:06:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
23:06:03	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
23:06:03	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
23:06:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
147.45.47.93	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse
	ygm2mXUReY.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	s2dwlCsA95.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	UeW2b6mU6Z.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	tA6etkt3gb.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse
172.67.75.166	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse
	ygm2mXUReY.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	s2dwlCsA95.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	TANQUIVUIA.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse
	oZ8kX4OA5q.exe	Get hash	malicious	RisePro Stealer	Browse
	S2ruRfajig.exe	Get hash	malicious	RisePro Stealer	Browse
	WARYTtjh4l.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	TeaiGames.exe	Get hash	malicious	NovaSentinel	Browse	34.117.186.192
	ShadowFury.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	ShadowFury.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SOLkM5sa4R.exe	Get hash	malicious	Phemedrone Stealer	Browse	34.117.186.192
	xOiio3LmAO.exe	Get hash	malicious	Phemedrone Stealer	Browse	34.117.186.192
	SOLkM5sa4R.exe	Get hash	malicious	Phemedrone Stealer	Browse	34.117.186.192
	ygm2mXUReY.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	Dj43d18ukx.exe	Get hash	malicious	DCRat	Browse	34.117.186.192
db-ip.com	ygm2mXUReY.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	2q45IEa3Ee.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.4.15
	SajWKdHxdF.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	s2dwlCsA95.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	104.26.5.15
	UeW2b6mU6Z.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	104.26.5.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	34.117.186.192
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	34.117.186.192
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	_file____C__Users_hp_Downloads_C__Users_moodyt_AppData_Local_Temp_2_RemittanceAdvice17-Apr-2024.html	Get hash	malicious	Unknown	Browse	34.117.77.79
	TeaiGames.exe	Get hash	malicious	NovaSentinel	Browse	34.117.186.192
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	ShadowFury.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	ShadowFury.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	nagateliteqfUK.exe	Get hash	malicious	AZORult++	Browse	34.117.188.166
CLOUDFLARENETUS	https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2w	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2w	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://condoresorts.com/	Get hash	malicious	Unknown	Browse	172.67.162.186
	https://u44058082.ct.sendgrid.net/ls/click?upn=u001.wjMLvmoK1OC9dTKy5UL4VbqcIJmZWkGKJypB0ZF6j6rXk8HVnxe0g2af-2BenroUoONz6EEWthgE-2Bi2vVRUosKTZRVQ5v63hCdxrdKCztVooIv51imK8tr-2Bb3beAsH6u-2FNluJlUKmd7nST-2B9m-2Bl2Rgv4y6uHLimO0TjhZzZ-2F-2BDlllJQne3tT99z6x4W12pJpddTL-2BoJ2-2Bdo6961pFN3dV2Rg-3D-3DeWGT_h-2FW4DSvZGhKY-2FmU3Rq-2F3L-2FXo2OZSHdaVvlpgAgHQWDXPYB9CNYi-2FcvonFCbsEhjt9RP-2BQa7dTwbMJOOaP3JRnMW6mQAitl6qAb1EkaAR-2BmnZDE6Bi3ooqtCrrMW-2F3TPNMK3AVi1YKIdTOZivmUJGaXdrtbqCykfnTTkN9KMRy80rdRqf6LWUCYWGeeaXb-2BD6jokMbr-2FaJKvKMHDNWAfHyhaE6QO9pw7souFUseKb40g-3D	Get hash	malicious	HTMLPhisher	Browse	104.18.22.19
	zlONcFaXkc.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	172.64.41.3
	https://kbl8wfhm2.xn--90a1ajj.xn--p1ai/lm.php?tk=U2VjdXJpdHkJCQlzZWN1cml0eUB2ZWN0cmEuYWkJNzIxMjk1NDI1CTQ4NTE4MTgyMjA5NTU2OQlQeXRob25fTmV3CTE4OTkyODA2NDIJb3Blbglubwlubw==&url=https%3A%2F%2FS8p8QERcQ.xn--90a1ajj.xn--p1ai%2Flm%2Fpictures%2Fcti.png	Get hash	malicious	Unknown	Browse	172.67.169.56
	EXTERNAL Bonnie St Dryden is inviting you to collaborate on One_docx(Apr 23) DOC3848493.msg	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	http://improvingpayments.com	Get hash	malicious	Unknown	Browse	172.67.152.194
	https://forms.osi.office365.us/r/sWNQn6JMmp	Get hash	malicious	Unknown	Browse	1.1.1.1
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	193.233.132.234
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	193.233.132.234
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	193.233.132.167
	c3nBx2HQG2.exe	Get hash	malicious	Glupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	193.233.132.234
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	193.233.132.169
	MOD.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	ygm2mXUReY.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	193.233.132.175
	2q45IEa3Ee.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	193.233.132.253

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	z56NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	34.117.186.192 172.67.75.166
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	Gam.xls	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	szamla_sorszam_8472.xlsm	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	iPUk65i3yI.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	asbpKOngY0.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	VdwJB2cS5l.exe	Get hash	malicious	Remcos, DBatLoader	Browse	34.117.186.192 172.67.75.166
	https://www.epa.gov/climateleadership/simplified-ghg-emissions-calculator	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe	Get hash	malicious	Remcos, DBatLoader	Browse	34.117.186.192 172.67.75.166
	https://mota-engil.caf0sa.com/tiyamike.chikabadwa56078874fessdGl5YW1pa2UuY2hpa2FiYWR3YUBtb3RhLWVuZ2lsLnB097140964?5101245168264822=2215800694735574#dGl5YW1pa2UuY2hpa2FiYWR3YUBtb3RhLWVuZ2lsLnB0	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2187792
Entropy (8bit):	7.930048486776583
Encrypted:	false
SSDEEP:	49152:PZgJpHJqEtpdHqvN3FhHuwSZJYlzKYtSdtjWx34j:x2HjhHsnkgzKFEZ4j
MD5:	6A1CA153932A4D9B645A9CF47F30DA65
SHA1:	4E59A3754135F887A717B238B8BFA89E9870A1CD
SHA-256:	16861E3D14A7275BC7C771C361870B6D16B18321123D060DE8E7B2C6071E3D6B
SHA-512:	76AA4F532F422D8972C2E4E5FB887F5813F8E9A9ECD4DE39ED8EC541506655AF0EFEFF9EEE781FAB8195D159F26CB4E1352EA5F99F618EB681933F8C4EC257C3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'............X.P...........@..........................`g......\"...@.......................................... .......................Pg.................................................................@................... ............................ ..` Z{..........................@..@ 0I... ......................@... .....p......................@..@ ..... ...L..................@..B.vm_sec..@.......@...$..............@....idata...............d..............@....tls.................h...................rsrc........ .......j..............@..@.themida. 5.......... ..............`....boot....B....P..B... ..............`..`.reloc.......Pg......b!.

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_ec619316d435a0621ba3667744ac4ba198646d78_d1a40e08_5a4c7c3f-49b6-4eb3-8d5b-bf782d5388aa\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.047167040273847
Encrypted:	false
SSDEEP:	192:JIFlghzR8DPg07ErhN6E6jj/ZrUUJcUzuiFEZ24IO826t:cyReP77ErhAjqUzuiFEY4IO8p
MD5:	C574B0F246A617CD6A5AE9ED67F65A3E
SHA1:	D4181A5522BEB225462455ACB5457DCF4D21731F
SHA-256:	E1664C083B1D665348E5919B0E7F6F3D62E9E3A1EEC4D592293D2264849EA623
SHA-512:	D38AD89F525FC2C7250EF3DA2EB9078A52F0D6EFFD2263FFCA34377C2DAB908C8478813D73173C207C88D44F3E400F61F015CFC7BA2607A47CE8ABFBD502A794
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.8.3.5.7.8.4.0.5.9.7.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.8.3.5.7.9.4.5.2.8.4.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.4.c.7.c.3.f.-.4.9.b.6.-.4.e.b.3.-.8.d.5.b.-.b.f.7.8.2.d.5.3.8.8.a.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.2.6.2.d.b.d.-.3.1.c.a.-.4.4.6.2.-.b.a.6.4.-.0.a.a.6.8.c.3.6.9.7.2.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.4.0.-.0.0.0.1.-.0.0.1.4.-.8.c.4.4.-.9.f.6.e.c.a.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.4.e.5.9.a.3.7.5.4.1.3.5.f.8.8.7.a.7.1.7.b.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_ec619316d435a0621ba3667744ac4ba198646d78_d1a40e08_afb271d8-43e5-41cb-b5ef-4dcf3dfdaae0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0533585496927051
Encrypted:	false
SSDEEP:	192:ABl6hzm8DPg07ErhN6E6jjyZrofxjPzuiFEZ24IO826t:E4meP77ErhAjrPzuiFEY4IO8p
MD5:	96AFF9EBEC8AB8BFA0386B10492954FC
SHA1:	07FBCCE2FC1253636154646FA9F52597068E3938
SHA-256:	A5CF1996D1409135B1667ED414F1BF2253F12A2A6E52EDA263D7AF8FD8FFEBEB
SHA-512:	A10B9D982A324DA984C7619C21298928970D361AE0FC2B34E62B9265A666095F6DE0638D8270353B3DC087D591B6C3CB4051DAEAF7B4866B9C069854A99D087A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.8.3.5.7.8.4.0.5.3.4.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.8.3.5.7.9.6.3.9.7.1.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.b.2.7.1.d.8.-.4.3.e.5.-.4.1.c.b.-.b.5.e.f.-.4.d.c.f.3.d.f.d.a.a.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.7.d.2.5.1.e.-.c.1.1.a.-.4.5.c.f.-.b.5.c.5.-.4.f.f.c.8.e.5.3.c.3.d.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.0.-.0.0.0.1.-.0.0.1.4.-.4.1.c.c.-.9.0.6.e.c.a.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.4.e.5.9.a.3.7.5.4.1.3.5.f.8.8.7.a.7.1.7.b.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_a2a636d6b528a3cf542617edd8df83f41ab1c4b_394a0634_aa0059fc-b7e6-4132-8e38-83f092b6ad00\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0477746636166108
Encrypted:	false
SSDEEP:	192:sNBnkvrPXPw0LnaII3jyZrosLZuzuiFEZ24IO8iB:AmrvPLLnaPjyuzuiFEY4IO8S
MD5:	608FD78C405082574169FE5D3A2B21E6
SHA1:	05B0DE5FBB00860BB800103B0671A41528FE8F4F
SHA-256:	B161444BC3B6F247E0482D2338422E891154AD8690A52BA789F0C9521F3309E3
SHA-512:	2623E7E1654F2AFF2E51AD43AFD1AADD1BC28C577712F08B1CE3F0F73049E030D93B853BDC148732C3DF5157E59F7BDE8F15F176375F77875C2E1CD6ADADB924
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.8.3.5.7.8.3.9.8.9.1.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.8.3.5.7.9.5.2.3.9.1.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.0.0.5.9.f.c.-.b.7.e.6.-.4.1.3.2.-.8.e.3.8.-.8.3.f.0.9.2.b.6.a.d.0.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.3.1.9.9.b.a.-.b.8.3.c.-.4.8.c.0.-.8.4.6.5.-.e.9.4.c.6.8.d.b.f.3.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.e.0.-.0.0.0.1.-.0.0.1.4.-.e.0.b.9.-.2.7.6.d.c.a.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.4.e.5.9.a.3.7.5.4.1.3.5.f.8.8.7.a.7.1.7.b.2.3.8.b.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2651.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 23 22:06:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	109924
Entropy (8bit):	1.9309488562688133
Encrypted:	false
SSDEEP:	384:xcb3l6AHVFtvaustrvM+i+frpZvgZJAzROfYfo3UJmS8P/ehTvVrfV3aJ1VmA:ur0AFtvausF3vGoROODVDBc0
MD5:	ADDB683D25B7BEA532373BED8A0D1AAF
SHA1:	6CAD091E87D6A02D54AD5005609272F2C8E140EE
SHA-256:	87598B5FB78B49C4ACDC8E31DE908FB1747306FBDE5ABF22003CE29856E79D79
SHA-512:	09FA26EF188A6C6B42653130A057C6D44BADF4110D8CE3D1C1BB7F9F0A81DD01DF0CC15F4D303077C2062B31AB998122C2A901D08F841ADB496993FA2A723767
Malicious:	false
Preview:	MDMP..a..... ........0(f....................................l...`#......t....I..........`.......8...........T............I...c...........#...........%..............................................................................eJ......P&......GenuineIntel............T............0(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26CF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 23 22:06:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	112384
Entropy (8bit):	1.9388091149809141
Encrypted:	false
SSDEEP:	384:86cJSFa7gRtvG0653iWwEVgPRQYmgNORA3hZDWtqLR4oQG5Q:4YwsRtvRxQxgNOO3hZbLRHQGS
MD5:	2DFCFCA190E68B671A7CB3C6E8778434
SHA1:	01C45B8BE5ACE47BCBC6D33A6B016088C32B5F81
SHA-256:	D65BDB19141E86C81C89B4A15C152A5B1B908C4889CC1143C6271F18850A8C8F
SHA-512:	0F2F5E008B7BFF9DE7D81CE1C0E7D35689B86F10F86A43FE0D277DB733D131749E73DA26E1785E4A015EC52E483EF74BD9BAEBDF44073A87FB7FAC57A9D61491
Malicious:	false
Preview:	MDMP..a..... ........0(f........................,...........l...$#..........rL..........`.......8...........T...........XI...m...........#..........\|%..............................................................................eJ.......&......GenuineIntel............T.......@....0(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26D0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Apr 23 22:06:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	114640
Entropy (8bit):	1.9194123895717723
Encrypted:	false
SSDEEP:	384:9kqMZsZBkN2FtvabJ4lne9XRxA2SlaLtYRT247g1jEYF70lddB0mTMZh:LEKS2Ftvu4ULxA2+RTZ7QEYNNmTMZh
MD5:	A4AFB25FC7FBE09950E4D9918D67A8B4
SHA1:	B74AE81DD988D6B4DFF91BF478780DA1D5D31112
SHA-256:	401414B19990FB33DAD9CAFC49AE97B9F89CF154A734C2371FA588B24782F248
SHA-512:	CDF66153C8BDE3A96A81A06BCAA8B774F94B7FEB8833608A659CFC7C907C5CE5FA96D7DDE580BE6ADCF88C77C2AD22310C5A9E28EF1F0968FE83CCEE8FB23915
Malicious:	false
Preview:	MDMP..a..... ........0(f....................................l....#...........L..........`.......8...........T............J...u...........#...........%..............................................................................eJ.......&......GenuineIntel............T............0(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2828.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6362
Entropy (8bit):	3.727251793885873
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1uD67YilgJJHhprm89bMRsfp8km:R6lXJg67Y4gJJHjMKf0
MD5:	30278ECEB879EBDBC5AD8D7B4C714CFC
SHA1:	6D09EE2B6A2F5FC68CA64AEE790C3B5C99379BFE
SHA-256:	6164B4D25D85790773C77E54D0540B8A28CC11E4B869156DF58DE4516A40A0DE
SHA-512:	8AEABB2EEB80617270290BE6663D55C740D4593852A48ED8E805745AC70664F0DB7B528FBC2DEF6B4D29FB403248E850F06D7191C4ABF151A9F07D8DCD040730
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2867.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4718
Entropy (8bit):	4.5251708479308235
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9HsWpW8VYkPYm8M4JR7tiFQQ+q87DvOQLgPhfd:uIjfSI7VF7VtSJjQTxP1d
MD5:	89F7FE012936E36DB19994F8EBE8894B
SHA1:	33AE879E2AE3E70D3059E71BB8AF85C07101704D
SHA-256:	7D523B2855849D277FF4202DF87043AA74EBBA88EDA72B76989E7F979FB700A7
SHA-512:	B87185EB0222BACB91FB4FBC1338EDBC4587C5F697176FF50995425D39235BF91242CAEB568F2EDB99BB4958798943204FB7B52F9947ABB9350AB6F9DF45221E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293109" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2886.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8372
Entropy (8bit):	3.699693012451082
Encrypted:	false
SSDEEP:	192:R6l7wVeJPCe6nEqj26Y91SUpoQgmfB5gJJoprg89bV6sf0wnm:R6lXJr6nPj26YvSUpoQgmf/gJJwVZfU
MD5:	5E17F05D00ED4C59B3849E8D4959CEA4
SHA1:	1BBA35C33468249100EF02DC7D999D83D954C98D
SHA-256:	AF848FC0E9047419CE031E208AABE9D1DE70B8FA1DC80EC10D09A56DB6A80D89
SHA-512:	AE8CC12E7C6C9912D10561489966DF0522FCCCE9CA47B49F1095D1CBD8CB5799D83623DF1649BE505CE04B655A62DF991FC99CC1ECFE81B2F60404CE7C35AF63
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER28E4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4698
Entropy (8bit):	4.502751273298267
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9HsWpW8VYdYm8M4Jd7yF3m+q8QxkXQLLsrfd:uIjfSI7VF7VFJjqXCsDd
MD5:	B42CC85E92B86A47379C309C4E5C25D1
SHA1:	558CCE4FCCD24EEFEC74347B57AFF38616F5981F
SHA-256:	84921862E425973E0C30DD93D782BBD207820A3C5E5CD8BECF1AB95357CD71F0
SHA-512:	1213AB3DA85AEF77FACFA443CD6FCD9620C3D7FCB40A5E0EBB38819E1A362B3423808A72891924A1BB2753F3995FBEBF61FA055A529593AD19F9C03D8D1E1D7D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293109" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2940.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6366
Entropy (8bit):	3.725386380827846
Encrypted:	false
SSDEEP:	192:R6l7wVeJFuC6rfzYilgJJHhprd89bVWsf0Pnm:R6lXJR6rfzY4gJJHWV1fb
MD5:	95381FAF6B7C53A71852849DB7CF777F
SHA1:	062DA4053F8E78E1B4651C40CC22C18B3377F410
SHA-256:	751010BEBAC7E33A3CBC1A24C4690963B0365739BE789FEF5DF0B09668FA8B86
SHA-512:	633027419E941C592CCF47D93B8AA6C2BF7FCE3E331048FE4D8E57F73CF8D47D0E49DDEE8F8B92DC73C96C8A8C7D140324605003C56E1D22C2E3BFD89ACB951E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER29DD.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4718
Entropy (8bit):	4.525225838583309
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9HsWpW8VYhvYm8M4JR7tiFrI+q87DvHGQLgPQfd:uIjfSI7VF7ViyJjDxPed
MD5:	5CA2A10661518ECC18DB9FC5DD54BCFC
SHA1:	99D6C2247DC0B81848C8DCA8ADBCAC5B37EC0C34
SHA-256:	3424D20CECEA2BDC37E615248BA0604BF79234BA84155498F83990DE80B91677
SHA-512:	85D72B0EF1E179E6B16B1B8B069BF921ED896304B4EACAB7F482195E5A3B908BAC3C621B65592373D22D7B4D570AF798973F9A58706422D86974743CC13AFD38
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293109" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2187792
Entropy (8bit):	7.930048486776583
Encrypted:	false
SSDEEP:	49152:PZgJpHJqEtpdHqvN3FhHuwSZJYlzKYtSdtjWx34j:x2HjhHsnkgzKFEZ4j
MD5:	6A1CA153932A4D9B645A9CF47F30DA65
SHA1:	4E59A3754135F887A717B238B8BFA89E9870A1CD
SHA-256:	16861E3D14A7275BC7C771C361870B6D16B18321123D060DE8E7B2C6071E3D6B
SHA-512:	76AA4F532F422D8972C2E4E5FB887F5813F8E9A9ECD4DE39ED8EC541506655AF0EFEFF9EEE781FAB8195D159F26CB4E1352EA5F99F618EB681933F8C4EC257C3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'............X.P...........@..........................`g......\"...@.......................................... .......................Pg.................................................................@................... ............................ ..` Z{..........................@..@ 0I... ......................@... .....p......................@..@ ..... ...L..................@..B.vm_sec..@.......@...$..............@....idata...............d..............@....tls.................h...................rsrc........ .......j..............@..@.themida. 5.......... ..............`....boot....B....P..B... ..............`..`.reloc.......Pg......b!.

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\fOmlyjeWLzh5Tv38_jR4gFx.zip

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	modified
Size (bytes):	5607
Entropy (8bit):	7.886786703978543
Encrypted:	false
SSDEEP:	96:QintUT29vHz9WQBavDziBP1Pe4McobRHSI0JwA3OxgUnAcGWvV5Sdlr8z3KJZ4nd:QintUT29Hz9WGFh1Pe4q4RJwA3OyU555
MD5:	027DA28D5968F0B49E24C78EE67C99C2
SHA1:	D3CB41C2457818BBC39E81D5FCB8794BB118DC54
SHA-256:	40C44FD6511B4C0AB59C8E501768372AB501188B1533D61997E478FD44F43F73
SHA-512:	042A1C9789ED696256B89B24F2963415A2799046EC0B004DEA946721DF5BC4F160E006910A2E3D68A70F5E7C8CD91976D57CB82DDE26EB6B36614FF77BA280CF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\fOmlyjeWLzh5Tv38_jR4gFx.zip, Author: Joe Security
Preview:	PK...........X................Cookies\..PK...........X..s@..../......Cookies\Chrome_Default.txt.G.....5..G.BMx.....%.M...{...?.LH..71.t.....:y3..s./.0.m.%......../. ..!..A.C.........;...x...........!.2.....Z..<....<.h8..<.q;.....9....gK.}.R.#f...A.E...1...?lR....b.....nS=l.%E&'...>x......h.......E)C..t..'.2<Z_@.........&Lk......0..B.mqk.9M1lf.-e@....E.v..R&..\|..-....C.w.Y.K... ........k..3..2W5.!vs.....S.~.......0._.*..e.....U...).....>...g+;...z[Ks....Z..d...\|.".v..(...I....+.7.y.X@.H....eV.............Y..c..x...Kw.'S>.d\|.....B..k.p..\|C\|F.......O52....`f.3W..../....i..E...7..c.Kwv..,]..C..j.2.T..+............t.2....6.M>..s..K.M...VJ..>;.......n.<f;]s.K..5...n....~$ ....%......Z#.....Q5...<n...I&......0<:..>..I.K)g.)..KX.H.(Y!..j4W.j..1.V..d\.T..,p...D...T..>z...,.....L.....Mh.t..!....A...!?.U...x..[a7j.N;#..t.\.#.Z.-)f...v_.<..?..`.D0..?......).vX.#...Lw.j...1.....M.#...+.W....h....U.W....G.w......'.Y?.....;.....`...X...C..w..

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.9312089489103235
Encrypted:	false
SSDEEP:	3:LGNV:6H
MD5:	0BD50A71113A1E9D7CF8ECE6CF98DD23
SHA1:	EA716D6E7C77C58D49661FCA84187D90E5B0C505
SHA-256:	8693DF49F6BE0CAE17B8E3FB620CB3468FC2DDEF425DBED035653059E7E0A819
SHA-512:	7EA7C1F5BA229B015C91C425A199E86BB8398E3FDBEC6224A56B693C8E2B88805FC6E12B31741872502B89306C9DC2D11525C71A063AF82A2756832E65B1E47B
Malicious:	false
Preview:	1713916104280

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\02zdBXl47cvzcookies.sqlite

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\2fkbH95MIiIVHistory

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\3b6N2Xdh3CYwplaces.sqlite

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\6BEpSEEJK2MRWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\CrDw0uiZyBrjWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\D87fZN3R3jFeplaces.sqlite

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\KACSF2aZBIrqHistory

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\MSeCMsgcpAM6Cookies

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\S8KxQcloANgRLogin Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\TWdqXpwjKJgnHistory

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\chbVhxN5Q4oALogin Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\kKUZo8xfUQP6Login Data For Account

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\n216lelIOnitWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\oxPSCaI8jrzXHistory

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\pWdX6oy0wMh6Web Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\tsK6qQZ5zZkiWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanQFZsogCtLsji\ywWhbVJPCEiWWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\02zdBXl47cvzcookies.sqlite

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\3FmY8Y3VZKUdHistory

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\3T4iUC1W1QN1Login Data

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\3b6N2Xdh3CYwplaces.sqlite

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\D87fZN3R3jFeplaces.sqlite

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\FLoEPq542D1GHistory

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\LE8muCHAK5sLWeb Data

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\LXuFiEXG0EkqWeb Data

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\MTRqRtKLov0rWeb Data

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\OAknfdtzctwSHistory

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\YdijmPRhuNDcWeb Data

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\aU71U5Q3u0g5Login Data

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\iLjAv5QAc_NyWeb Data

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\qxceeLkUXC0mCookies

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\rAZQ7hw0IO5UWeb Data

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\spvsXarvltR2Login Data For Account

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanax8MrfHUT7go\zXxF9mapGYi0History

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trixyQFZsogCtLsji\Cookies\Chrome_Default.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	6085
Entropy (8bit):	6.038274200863744
Encrypted:	false
SSDEEP:	96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
MD5:	ACB5AD34236C58F9F7D219FB628E3B58
SHA1:	02E39404CA22F1368C46A7B8398F5F6001DB8F5C
SHA-256:	05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
SHA-512:	5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
Malicious:	false
Preview:	.google.com.TRUE./.TRUE.1712145003.NID.ENC893_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

C:\Users\user\AppData\Local\Temp\trixyQFZsogCtLsji\information.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	5614
Entropy (8bit):	5.28364815429627
Encrypted:	false
SSDEEP:	96:x/yPPMRFecT4Aisph+9hcmYfOhmDLa4mANUbg3x:xKM/evAtphWhcmaImfnTB
MD5:	4A605B3EC898B0BBCFEEBF10B5C2ABE2
SHA1:	26A4395A1DFDBDA1AD6A9D87E066285814C6B62E
SHA-256:	7C93A624DCFC841E45EAB5E43F6812024A9BE6D0DFD26A09652D806FF266306C
SHA-512:	6949B876D313439482ED3DE41F7295226E0CCEEE970FE2152F5B187C985986219AFAB28D416CABA9E3150B74F744B971C3DCD35F5562D18EFEB8C145828501B1
Malicious:	false
Preview:	Build: lafos..Version: 1.9....Date: Wed Apr 24 00:06:13 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 9bebfd0384767043b278069fd88188f6....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyQFZsogCtLsji....IP: 154.16.105.36..Location: US, Las Vegas..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 888683 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 24/4/2024 0:6:13..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..sv

C:\Users\user\AppData\Local\Temp\trixyQFZsogCtLsji\passwords.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4897
Entropy (8bit):	2.518316437186352
Encrypted:	false
SSDEEP:	48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
MD5:	B3E9D0E1B8207AA74CB8812BAAF52EAE
SHA1:	A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
SHA-256:	4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
SHA-512:	B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trixyax8MrfHUT7go\Cookies\Chrome_Default.txt

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	12170
Entropy (8bit):	6.038274200863744
Encrypted:	false
SSDEEP:	192:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WhHGYUnOTNC5IcXkWFXZQHRFJ5Pts7c3aP:gwsPbtKvCpqq40wsPbtKvCpqq47
MD5:	B6F52D24FC4333CE4C66DDA3C3735C85
SHA1:	5B69F1D66E95EFE2CF1710E9F58526B2AAEC67E4
SHA-256:	0FEE1A764F541EC6733DB89C823296650F6E581CD7D812D5A142B5A0AD9BC9B6
SHA-512:	CD2C6D64083061D7C7A7E89CF9C9F7D2B66301C73CFB56D2CCD94D1B810DE42774DAE5B77DB2E567A26FC54989C04D8A60D76225E6F3F91FCD2AE4D2E01F3C4C
Malicious:	false
Preview:	.google.com.TRUE./.TRUE.1712145003.NID.ENC893_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

C:\Users\user\AppData\Local\Temp\trixyax8MrfHUT7go\information.txt

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	5619
Entropy (8bit):	5.285649503299065
Encrypted:	false
SSDEEP:	96:x/yy1MRF9cT4Aisph+9hcmYfOhmDLa4mANUbg3x:xKL/9vAtphWhcmaImfnTB
MD5:	3377979E798A0F0979947EE20045C7AE
SHA1:	158E476F1ED789EC93D844A15309E62FEB2D6B8B
SHA-256:	1F047F883964544575B7866FFA0AF333D905213F64FBBABE6D59E1C54EF3DEE0
SHA-512:	B198A5F95C390B337DB902944DE2F515131C696B9AF0BC558884F2831DC9ACD85ADC75E4448D59F553DFFE73B845896631385D074E0BA4A3196663D3C8DF8BB1
Malicious:	false
Preview:	Build: lafos..Version: 1.9....Date: Wed Apr 24 00:06:14 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 9bebfd0384767043b278069fd88188f6....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyax8MrfHUT7go....IP: 154.16.105.36..Location: US, Las Vegas..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 888683 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 24/4/2024 0:6:14..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784

C:\Users\user\AppData\Local\Temp\trixyax8MrfHUT7go\passwords.txt

Download File

Process:	C:\ProgramData\MPGPH131\MPGPH131.exe
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4897
Entropy (8bit):	2.518316437186352
Encrypted:	false
SSDEEP:	48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
MD5:	B3E9D0E1B8207AA74CB8812BAAF52EAE
SHA1:	A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
SHA-256:	4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
SHA-512:	B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\v3LvRqxzMigkZO4sGSn3NDv.zip

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	modified
Size (bytes):	5531
Entropy (8bit):	7.894536965044656
Encrypted:	false
SSDEEP:	96:5WGzqeAoMq+YK0KF8cAJiI2i+uwWT/2T5Ir+i71RkA3lAuHGj3KJli:NqASpF8wFVaG5Ir+A1uAa6Jli
MD5:	AC1080C956DAEE14854772E6CA6B5848
SHA1:	3FBB2FA3D19A95CBCEF9A22294BF2089DD523F22
SHA-256:	74144BB26B5F23574D5D77D9EA9BDED89906C89B74D7D691456A169B11DC541E
SHA-512:	B35856456EF07D6DD247BCCAE8A5375E79D2F43EC394FFCB50CB2A6AA1CC610645B33F31ED696D40852B87241186DF4F47FB7ECDDAAB4A748A1433D125D41E73
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\v3LvRqxzMigkZO4sGSn3NDv.zip, Author: Joe Security
Preview:	PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E..l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3Ap.U5UX....Z.g:e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d\|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O\|.....>K......L...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u\|....v...3.;L..U?..b.....u....... .......F...P.a...\|R3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469051080405372
Encrypted:	false
SSDEEP:	6144:UIXfpi67eLPU9skLmb0b44WSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSb+:pXD944WlLZMM6YFH8++
MD5:	A921E605F731E33EEFF80BA93077DC40
SHA1:	97CB05C42F9AED3439C5FE92602CAE71F376CEC0
SHA-256:	F16FA940D43BF7A193406F5383AC433A0A78EFEB08A57903D34DEBDC55A5B3E6
SHA-512:	44841E8770C9F8C5E0A507481C4BD890B0AB7485747EF0E15733684892C127ECDA7DAA3513EB0CDB78794D9A8A2110EB355455DA106EEBA72C9E06C145B3596A
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.?.w..................................................................................................................................................................................................................................................................................................................................................C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.930048486776583
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'187'792 bytes
MD5:	6a1ca153932a4d9b645a9cf47f30da65
SHA1:	4e59a3754135f887a717b238b8bfa89e9870a1cd
SHA256:	16861e3d14a7275bc7c771c361870b6d16b18321123d060de8e7b2c6071e3d6b
SHA512:	76aa4f532f422d8972c2e4e5fb887f5813f8e9a9ecd4de39ed8ec541506655af0efeff9eee781fab8195d159f26cb4e1352ea5f99f618eb681933f8c4ec257c3
SSDEEP:	49152:PZgJpHJqEtpdHqvN3FhHuwSZJYlzKYtSdtjWx34j:x2HjhHsnkgzKFEZ4j
TLSH:	3DA53312B6815E87E265C0B5DD22CBBAED38AF11DC1762D040DF7F87327624C9BA91A4
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	4c4d96ec0ce6c600

Static PE Info

General

Entrypoint:	0x900058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6625EF5E [Mon Apr 22 05:02:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	63814aaf116ba6abb6496ce4bcad24c6

Entrypoint Preview

Instruction
call 00007F5690B1BCB0h
push ebx
mov ebx, esp
push ebx
mov esi, dword ptr [ebx+08h]
mov edi, dword ptr [ebx+10h]
cld
mov dl, 80h
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007F5690B1BB4Ch
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007F5690B1BBB3h
xor eax, eax
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007F5690B1BC47h
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
je 00007F5690B1BB6Ah
push edi
mov eax, eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
jmp 00007F5690B1BAFBh
mov eax, 00000001h
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007F5690B1BB4Ch
sub eax, ebx
mov ebx, 00000001h
jne 00007F5690B1BB8Ah
mov ecx, 00000001h
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc ecx, ecx
add dl, dl
jne 00007F5690B1BB67h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007F5690B1BB4Ch
push esi
mov esi, edi
sub esi, ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a018b	0x184	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a2000	0xb5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x675000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a1018	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1803c4	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x158af8	0x7f400	f1bb82fb672722518d7df51c81f9a6d7	False	0.9994570389243614	data	7.99947787553928	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x15a000	0x27b5a	0xc600	9ec658a93c1c4179a3a4043ebb547217	False	0.9971393623737373	data	7.994641527184476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x182000	0x4930	0x800	03403e486849548bca18175e578d0394	False	0.90185546875	data	7.373201308789358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x187000	0xafa0	0x1200	555245ef1f339145300177d982f3db03	False	1.0023871527777777	data	7.95212856333623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x192000	0x9700	0x4c00	8e777be518d50c705079c57114c39f3b	False	0.9943462171052632	data	7.97835649221173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.vm_sec	0x19c000	0x4000	0x4000	984374becf2f91b624ad80ee049ef1a1	False	0.16162109375	data	2.8614542827525082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1a0000	0x1000	0x400	4b59baa1deb5678c423b5222ad87c2b8	False	0.400390625	data	3.337049343901853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1a1000	0x1000	0x200	b6901c91578d4b57eb40e738bb0d9b8e	False	0.056640625	data	0.18120187678200297	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a2000	0xb600	0xb600	27507467f3af30f8a547dc012d3000e7	False	0.12386246565934066	data	2.4019871224080975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0x1ae000	0x352000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x500000	0x174200	0x174200	e27b644f515fec9abdd9e8df775a9e84	False	0.9860276442307693	data	7.954910935744161	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x675000	0x1000	0x10	99df941ae8b9cb04221a0de4a710f9a9	False	1.5	GLS_BINARY_LSB_FIRST	2.349601752714581	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a21e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Russian	Russia	0.1320921985815603
RT_ICON	0x1a2658	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1600	Russian	Russia	0.10465116279069768
RT_ICON	0x1a2d20	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Russian	Russia	0.08770491803278689
RT_ICON	0x1a36b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Russian	Russia	0.05722326454033771
RT_ICON	0x1a4770	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Russian	Russia	0.03475103734439834
RT_ICON	0x1a6d28	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	Russian	Russia	0.02509447331128956
RT_ICON	0x1aaf60	0x1aae	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.39780380673499266
RT_GROUP_ICON	0x1aca20	0x68	data	Russian	Russia	0.7596153846153846
RT_VERSION	0x1aca98	0x398	OpenPGP Public Key	Russian	Russia	0.42282608695652174
RT_MANIFEST	0x1ace40	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727
RT_MANIFEST	0x1acfd0	0x5d7	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.43478260869565216

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-00:06:04.246752	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49730	58709	192.168.2.4	147.45.47.93
04/24/24-00:06:24.994866	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49750	147.45.47.93	192.168.2.4
04/24/24-00:06:07.810603	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49733	147.45.47.93	192.168.2.4
04/24/24-00:06:04.897107	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49730	147.45.47.93	192.168.2.4
04/24/24-00:06:04.557121	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49730	147.45.47.93	192.168.2.4
04/24/24-00:06:07.790191	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49732	147.45.47.93	192.168.2.4
04/24/24-00:06:08.020801	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49730	58709	192.168.2.4	147.45.47.93
04/24/24-00:06:08.131790	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49732	147.45.47.93	192.168.2.4
04/24/24-00:06:16.989078	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49739	147.45.47.93	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 00:06:03.906419992 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:04.231779099 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:04.231909037 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:04.246752024 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:04.557121038 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:04.571855068 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:04.571933031 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:04.676826000 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:04.897106886 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:04.942375898 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:05.044399023 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:05.189116001 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:05.189167023 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:05.189224958 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:05.192140102 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:05.192161083 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:06.340004921 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:06.342710018 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.332976103 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.348609924 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.464567900 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:07.464643955 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:07.464663982 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.464700937 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.479257107 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.481029034 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.497669935 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:07.497766018 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:07.500026941 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:07.500060081 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:07.500420094 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:07.551719904 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:07.556143045 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:07.600121021 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:07.790190935 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:07.806379080 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:07.806433916 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.810602903 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:07.864253998 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:07.883826017 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:07.884160995 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:07.884233952 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:07.891360998 CEST	49731	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:07.891376019 CEST	443	49731	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:07.913671970 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:08.020801067 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:08.054346085 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:08.054416895 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:08.054534912 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:08.054861069 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:08.054877996 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:08.131789923 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:08.176717043 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:08.189699888 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:08.239248991 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:08.263370991 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.263402939 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.263488054 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.264322996 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.264334917 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.264605045 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.264693022 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.264782906 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.265568018 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.265605927 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.294230938 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:08.301846027 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:08.359236956 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:08.403798103 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:08.403894901 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:08.406117916 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:08.406148911 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:08.406497002 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:08.407547951 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:08.411123037 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:08.448159933 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:08.619076967 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.619092941 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.619142056 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.619349957 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.620349884 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.620379925 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.620733976 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.620805979 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.620817900 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.621232033 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.661098003 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.661231995 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.669497967 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:08.671394110 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.680934906 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:08.712155104 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:08.724184990 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.005280972 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.005496025 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.005614996 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.005968094 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.006017923 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.006051064 CEST	49734	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.006068945 CEST	443	49734	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.006416082 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:09.010901928 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.011200905 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.011269093 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:09.011430025 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:09.011471033 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.011499882 CEST	49736	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:09.011516094 CEST	443	49736	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.011651993 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.011818886 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.011879921 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:09.011986017 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:09.012005091 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.012015104 CEST	49735	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:09.012022018 CEST	443	49735	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:09.013226032 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.013286114 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.013365030 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.013573885 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.013601065 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.013655901 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.013659000 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.013684988 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.013972998 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.013984919 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.352164984 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.352227926 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.353333950 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.353343010 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.353830099 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.354890108 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.355635881 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.355695963 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.356592894 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.356600046 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.357505083 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.358525038 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.363543987 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:09.396146059 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.404112101 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.411117077 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:09.442553997 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:09.784167051 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:09.833112955 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:09.880278111 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:09.910936117 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.911154985 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.911237001 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.911376953 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.911390066 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.911406994 CEST	49738	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.911412954 CEST	443	49738	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.911900997 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:09.944343090 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.944581032 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.944648027 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.944719076 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.944719076 CEST	49737	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:09.944746017 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.944767952 CEST	443	49737	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:09.945193052 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.223692894 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.223769903 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.223824024 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.223835945 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.223875999 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.223921061 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.223928928 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.223982096 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.224030972 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.224035978 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.224081993 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.224138021 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.224148035 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.224216938 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.224262953 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.268379927 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.297822952 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.317357063 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.348654985 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.348834991 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.380069017 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.549477100 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.549561024 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.549613953 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.549666882 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.549684048 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.549721003 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.549755096 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.549772978 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.549834013 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.645581007 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.690352917 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.722059965 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:10.739392042 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.770535946 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.786295891 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:10.817492962 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.013253927 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.153696060 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.184993029 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458417892 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458503008 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458558083 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458558083 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.458611965 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458656073 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.458666086 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458719015 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458756924 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.458770037 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458825111 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458865881 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.458874941 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458930016 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.458966970 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.473470926 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473530054 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473582029 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473632097 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473647118 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.473685980 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473689079 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.473740101 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473782063 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.473788977 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473838091 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473880053 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.473891020 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473942995 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.473989964 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.501877069 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.520534039 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.786444902 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.786535025 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.786583900 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.786592007 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.786644936 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.786684990 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.786695004 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.786744118 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.786792040 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.801163912 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.801223040 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.801265001 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.801274061 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.801362991 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.801408052 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.801457882 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.801508904 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.801578045 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.861691952 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:11.880103111 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.911137104 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:11.911218882 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:12.220638037 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:12.268466949 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:12.285902977 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:12.302469015 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:12.302522898 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:12.643220901 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:12.657767057 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:12.692359924 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:12.707995892 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.018590927 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.018697023 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.343801975 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:15.343868017 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:15.344008923 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:15.344060898 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.494872093 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.494872093 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.636640072 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.636641026 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.715933084 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:15.820497990 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:15.820522070 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:15.820610046 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.874185085 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:15.962172985 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:15.962300062 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:15.962519884 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:16.013066053 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:16.200706959 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:16.337421894 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:16.341178894 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:16.404512882 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:16.420777082 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:16.457979918 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:16.473690033 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:16.663084030 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:16.663191080 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:16.691634893 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:16.989078045 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:17.017188072 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:17.017321110 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:17.115423918 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:17.343153954 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:17.395504951 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:17.481785059 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:18.051816940 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:18.377238035 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:18.397142887 CEST	58709	49730	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:18.397212982 CEST	49730	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:18.567677021 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:18.702769041 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:18.702804089 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:18.702862978 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:18.704384089 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:18.704396009 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:18.708265066 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:18.893353939 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:18.903999090 CEST	58709	49733	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:18.904046059 CEST	49733	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:19.033751011 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:19.044754028 CEST	58709	49732	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:19.044800997 CEST	49732	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:19.060019970 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:19.060127974 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:19.061368942 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:19.061391115 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:19.061713934 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:19.114237070 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:19.117165089 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:19.164150953 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:19.454257965 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:19.454555035 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:19.454610109 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:19.454752922 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:19.454752922 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:19.454785109 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:19.454799891 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:19.480750084 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:19.480833054 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:19.480909109 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:19.481224060 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:19.481260061 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:19.812525034 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:19.812592983 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:19.814085960 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:19.814101934 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:19.814510107 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:19.816586018 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:19.860116959 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:20.325310946 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:20.325427055 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:20.325516939 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:20.401447058 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:20.401479959 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:20.401498079 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:20.401504993 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:20.401777029 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:20.749520063 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:20.833578110 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:21.189296007 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:21.286130905 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:24.302033901 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:24.343911886 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:24.627571106 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:24.638798952 CEST	58709	49739	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:24.638947010 CEST	49739	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:24.669301987 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:24.669408083 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:24.685048103 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:24.994865894 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:25.036138058 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:25.059936047 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:25.361478090 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:25.416300058 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:25.598710060 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:25.750092030 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:25.750129938 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:25.750211954 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:25.751215935 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:25.751255035 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:25.966363907 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:26.119321108 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:26.119421005 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:26.124583006 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:26.124603987 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:26.124954939 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:26.173285961 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:26.220118999 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:26.515436888 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:26.515769005 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:26.515925884 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:26.515986919 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:26.516005039 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:26.516019106 CEST	49751	443	192.168.2.4	34.117.186.192
Apr 24, 2024 00:06:26.516024113 CEST	443	49751	34.117.186.192	192.168.2.4
Apr 24, 2024 00:06:26.517416000 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:26.517452002 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:26.517544031 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:26.517926931 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:26.517944098 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:26.854123116 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:26.854201078 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:26.855463028 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:26.855475903 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:26.856447935 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:26.857893944 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:26.904115915 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:27.372473001 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:27.372617960 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:27.372828960 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:27.373168945 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:27.373187065 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:27.373202085 CEST	49752	443	192.168.2.4	172.67.75.166
Apr 24, 2024 00:06:27.373208046 CEST	443	49752	172.67.75.166	192.168.2.4
Apr 24, 2024 00:06:27.373667002 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:27.747291088 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:27.750020027 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:27.801794052 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:27.835692883 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:28.174103975 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:28.223804951 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:31.286319017 CEST	49750	58709	192.168.2.4	147.45.47.93
Apr 24, 2024 00:06:31.611741066 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:31.622988939 CEST	58709	49750	147.45.47.93	192.168.2.4
Apr 24, 2024 00:06:31.623099089 CEST	49750	58709	192.168.2.4	147.45.47.93

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 00:06:05.031101942 CEST	52236	53	192.168.2.4	1.1.1.1
Apr 24, 2024 00:06:05.184750080 CEST	53	52236	1.1.1.1	192.168.2.4
Apr 24, 2024 00:06:07.897388935 CEST	54355	53	192.168.2.4	1.1.1.1
Apr 24, 2024 00:06:08.053472042 CEST	53	54355	1.1.1.1	192.168.2.4
Apr 24, 2024 00:06:25.590873003 CEST	56213	53	192.168.2.4	1.1.1.1
Apr 24, 2024 00:06:25.745754957 CEST	53	56213	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 00:06:05.031101942 CEST	192.168.2.4	1.1.1.1	0x61a0	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Apr 24, 2024 00:06:07.897388935 CEST	192.168.2.4	1.1.1.1	0x15ec	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 00:06:25.590873003 CEST	192.168.2.4	1.1.1.1	0x548f	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 00:06:05.184750080 CEST	1.1.1.1	192.168.2.4	0x61a0	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Apr 24, 2024 00:06:08.053472042 CEST	1.1.1.1	192.168.2.4	0x15ec	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
Apr 24, 2024 00:06:08.053472042 CEST	1.1.1.1	192.168.2.4	0x15ec	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false
Apr 24, 2024 00:06:08.053472042 CEST	1.1.1.1	192.168.2.4	0x15ec	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false
Apr 24, 2024 00:06:25.745754957 CEST	1.1.1.1	192.168.2.4	0x548f	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

ipinfo.io

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	34.117.186.192	443	5088	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:07 UTC	238	OUT	GET /widget/demo/154.16.105.36 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-04-23 22:06:07 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Tue, 23 Apr 2024 22:06:07 GMT content-type: application/json; charset=utf-8 Content-Length: 961 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-23 22:06:07 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 76 61 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 36 2e 31 37 35 30 2c 2d 31 31 35 2e 31 33 37 32 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 39 31 31 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d Data Ascii: { "input": "154.16.105.36", "data": { "ip": "154.16.105.36", "city": "Las Vegas", "region": "Nevada", "country": "US", "loc": "36.1750,-115.1372", "org": "AS174 Cogent Communications", "postal": "89111", "timezone": "Am
2024-04-23 22:06:07 UTC	219	IN	Data Raw: 53 74 61 74 65 20 53 74 72 65 65 74 2c 20 44 61 6c 6c 61 73 2c 20 54 58 20 37 35 32 30 34 2d 33 35 30 30 2c 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 49 50 58 4f 20 49 6e 63 69 64 65 6e 74 20 52 65 73 70 6f 6e 73 65 20 54 65 61 6d 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: State Street, Dallas, TX 75204-3500, United States", "country": "US", "email": "abuse@ipxo.com", "name": "IPXO Incident Response Team", "network": "154.16.105.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	172.67.75.166	443	5088	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:08 UTC	262	OUT	GET /demo/home.php?s=154.16.105.36 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-04-23 22:06:09 UTC	658	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 22:06:08 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC46CF4D:6BB0_93878F2E:0050_662830D0_987DA69:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TfYmxBcnuoIiLznAe79Bzi5PlyAkCudye3%2BWc4M44gReuVZ6b9blPWBilin5kxyvJhC0NW4gA0PLNBXmE%2FioLFE67h63%2FSUM4Ep%2FnbmahQJhZosjWEmkTb1P%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 879128b83e610912-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 22:06:09 UTC	648	IN	Data Raw: 32 38 31 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 Data Ascii: 281{"status":"ok","demoInfo":{"ipAddress":"154.16.105.36","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages"
2024-04-23 22:06:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	34.117.186.192	443	7120	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:08 UTC	238	OUT	GET /widget/demo/154.16.105.36 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-04-23 22:06:09 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Tue, 23 Apr 2024 22:06:08 GMT content-type: application/json; charset=utf-8 Content-Length: 961 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-23 22:06:09 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 76 61 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 36 2e 31 37 35 30 2c 2d 31 31 35 2e 31 33 37 32 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 39 31 31 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d Data Ascii: { "input": "154.16.105.36", "data": { "ip": "154.16.105.36", "city": "Las Vegas", "region": "Nevada", "country": "US", "loc": "36.1750,-115.1372", "org": "AS174 Cogent Communications", "postal": "89111", "timezone": "Am
2024-04-23 22:06:09 UTC	219	IN	Data Raw: 53 74 61 74 65 20 53 74 72 65 65 74 2c 20 44 61 6c 6c 61 73 2c 20 54 58 20 37 35 32 30 34 2d 33 35 30 30 2c 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 49 50 58 4f 20 49 6e 63 69 64 65 6e 74 20 52 65 73 70 6f 6e 73 65 20 54 65 61 6d 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: State Street, Dallas, TX 75204-3500, United States", "country": "US", "email": "abuse@ipxo.com", "name": "IPXO Incident Response Team", "network": "154.16.105.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	34.117.186.192	443	6208	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:08 UTC	238	OUT	GET /widget/demo/154.16.105.36 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-04-23 22:06:09 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Tue, 23 Apr 2024 22:06:08 GMT content-type: application/json; charset=utf-8 Content-Length: 961 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-23 22:06:09 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 76 61 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 36 2e 31 37 35 30 2c 2d 31 31 35 2e 31 33 37 32 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 39 31 31 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d Data Ascii: { "input": "154.16.105.36", "data": { "ip": "154.16.105.36", "city": "Las Vegas", "region": "Nevada", "country": "US", "loc": "36.1750,-115.1372", "org": "AS174 Cogent Communications", "postal": "89111", "timezone": "Am
2024-04-23 22:06:09 UTC	219	IN	Data Raw: 53 74 61 74 65 20 53 74 72 65 65 74 2c 20 44 61 6c 6c 61 73 2c 20 54 58 20 37 35 32 30 34 2d 33 35 30 30 2c 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 49 50 58 4f 20 49 6e 63 69 64 65 6e 74 20 52 65 73 70 6f 6e 73 65 20 54 65 61 6d 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: State Street, Dallas, TX 75204-3500, United States", "country": "US", "email": "abuse@ipxo.com", "name": "IPXO Incident Response Team", "network": "154.16.105.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49738	172.67.75.166	443	6208	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:09 UTC	262	OUT	GET /demo/home.php?s=154.16.105.36 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-04-23 22:06:09 UTC	660	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 22:06:09 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC46D336:4536_93878F2E:0050_662830D1_987DA84:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C6HskZzoQH%2F85CDdP%2B9x3JXZ%2FWdJYyO5aZO%2FGpxDeP7jOPutJ20QKqUna0yUE11KDzS7zZuXH29%2F180OITKcWVg1USLtFME6xHnIYiVFXB66bJr3%2BDFAghTUpA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 879128be3f88103c-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 22:06:09 UTC	648	IN	Data Raw: 32 38 31 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 Data Ascii: 281{"status":"ok","demoInfo":{"ipAddress":"154.16.105.36","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages"
2024-04-23 22:06:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49737	172.67.75.166	443	7120	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:09 UTC	262	OUT	GET /demo/home.php?s=154.16.105.36 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-04-23 22:06:09 UTC	654	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 22:06:09 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC452251:4424_93878F2E:0050_662830D1_98AA41F:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B9szChYGlHwA4wXQjqb9oHhM31pTMJgKVyRaT03ZKI3H%2BX7trdzsuymPDYETWAyoOtRRqAKAPr0YGoe3jTLjQGdoTHUJUQq%2F1qySV3yzpj0c%2BtZwvMKI8vJx8w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 879128be3d3314ec-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 22:06:09 UTC	648	IN	Data Raw: 32 38 31 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 Data Ascii: 281{"status":"ok","demoInfo":{"ipAddress":"154.16.105.36","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages"
2024-04-23 22:06:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49740	34.117.186.192	443	7276	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:19 UTC	238	OUT	GET /widget/demo/154.16.105.36 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-04-23 22:06:19 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Tue, 23 Apr 2024 22:06:19 GMT content-type: application/json; charset=utf-8 Content-Length: 961 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-23 22:06:19 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 76 61 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 36 2e 31 37 35 30 2c 2d 31 31 35 2e 31 33 37 32 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 39 31 31 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d Data Ascii: { "input": "154.16.105.36", "data": { "ip": "154.16.105.36", "city": "Las Vegas", "region": "Nevada", "country": "US", "loc": "36.1750,-115.1372", "org": "AS174 Cogent Communications", "postal": "89111", "timezone": "Am
2024-04-23 22:06:19 UTC	219	IN	Data Raw: 53 74 61 74 65 20 53 74 72 65 65 74 2c 20 44 61 6c 6c 61 73 2c 20 54 58 20 37 35 32 30 34 2d 33 35 30 30 2c 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 49 50 58 4f 20 49 6e 63 69 64 65 6e 74 20 52 65 73 70 6f 6e 73 65 20 54 65 61 6d 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: State Street, Dallas, TX 75204-3500, United States", "country": "US", "email": "abuse@ipxo.com", "name": "IPXO Incident Response Team", "network": "154.16.105.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49741	172.67.75.166	443	7276	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:19 UTC	262	OUT	GET /demo/home.php?s=154.16.105.36 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-04-23 22:06:20 UTC	656	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 22:06:20 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC46D28C:8BEC_93878F2E:0050_662830DC_98AA55E:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ZhJs9fAoG09fjuQEFouhX3rm%2B5PPsfqY8pAlJgIKm%2Bnq7mHhLyBXlt%2FLUikYIVsJkziVvz4uMMS5Q6dV4MCKQ3WPhh9Tv1G88caU0zL1VPy3vC0XVW5%2FEtdIg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 879128ff9b8c7c95-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 22:06:20 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-04-23 22:06:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	34.117.186.192	443	7912	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:26 UTC	238	OUT	GET /widget/demo/154.16.105.36 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-04-23 22:06:26 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Tue, 23 Apr 2024 22:06:26 GMT content-type: application/json; charset=utf-8 Content-Length: 961 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-23 22:06:26 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 76 61 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 36 2e 31 37 35 30 2c 2d 31 31 35 2e 31 33 37 32 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 39 31 31 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d Data Ascii: { "input": "154.16.105.36", "data": { "ip": "154.16.105.36", "city": "Las Vegas", "region": "Nevada", "country": "US", "loc": "36.1750,-115.1372", "org": "AS174 Cogent Communications", "postal": "89111", "timezone": "Am
2024-04-23 22:06:26 UTC	219	IN	Data Raw: 53 74 61 74 65 20 53 74 72 65 65 74 2c 20 44 61 6c 6c 61 73 2c 20 54 58 20 37 35 32 30 34 2d 33 35 30 30 2c 20 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 49 50 58 4f 20 49 6e 63 69 64 65 6e 74 20 52 65 73 70 6f 6e 73 65 20 54 65 61 6d 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 35 34 2e 31 36 2e 31 30 35 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: State Street, Dallas, TX 75204-3500, United States", "country": "US", "email": "abuse@ipxo.com", "name": "IPXO Incident Response Team", "network": "154.16.105.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	172.67.75.166	443	7912	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 22:06:26 UTC	262	OUT	GET /demo/home.php?s=154.16.105.36 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-04-23 22:06:27 UTC	664	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 22:06:27 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E5ABE:99EC_93878F2E:0050_662830E3_987DCB7:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9H25e3xypuW5iBKCAy%2FF883ArHAioyhHteJP0jGtRDBC%2By3d%2BLr8lGs%2BPHKgzGynGGwtW7lUXvIy6gO%2BdwLCwuD8Jze%2Bio%2B6P2wBkaVq%2BbUBhCrCoKN5SkQFlQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8791292b9fd12f1a-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 22:06:27 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-04-23 22:06:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	00:06:00
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa20000
File size:	2'187'792 bytes
MD5 hash:	6A1CA153932A4D9B645A9CF47F30DA65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2020444484.0000000005F70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2019353356.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:06:02
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x320000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:06:02
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:06:02
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x320000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:06:02
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:06:03
Start date:	24/04/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x7e0000
File size:	2'187'792 bytes
MD5 hash:	6A1CA153932A4D9B645A9CF47F30DA65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1763977169.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1763583252.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.2009852596.0000000005CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.2009988128.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1795771441.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1763775648.0000000005D31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:06:03
Start date:	24/04/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x7e0000
File size:	2'187'792 bytes
MD5 hash:	6A1CA153932A4D9B645A9CF47F30DA65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.1765470326.0000000006111000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2001629494.0000000006112000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.1765088851.0000000006111000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2001491145.0000000005D79000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2000818189.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:06:10
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x570000
File size:	2'187'792 bytes
MD5 hash:	6A1CA153932A4D9B645A9CF47F30DA65
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:06:18
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 1900
Imagebase:	0x3d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:06:18
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1936
Imagebase:	0x3d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:06:18
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1196
Imagebase:	0x3d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:06:21
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x570000
File size:	2'187'792 bytes
MD5 hash:	6A1CA153932A4D9B645A9CF47F30DA65
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	49.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	62

Executed Functions

Function 00AC7D20 Relevance: 350.8, APIs: 10, Strings: 179, Instructions: 20001COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00AC7D97

Part of subcall function 00AE33B0: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 00AE34EF

Strings

v<Ea, xrefs: 00AE206C
v<Ea, xrefs: 00AE2FDD
v<Ea, xrefs: 00AC9AE3
v<Ea, xrefs: 00AE0A26
v<Ea, xrefs: 00AE0ED1
v<Ea, xrefs: 00ADC27B
v<Ea, xrefs: 00AD5385
v<Ea, xrefs: 00AD0C48
v<Ea, xrefs: 00AD70BE
v<Ea, xrefs: 00AE2959
v<Ea, xrefs: 00AD2FDE
v<Ea, xrefs: 00AE1A86
v<Ea, xrefs: 00ADAC21
v<Ea, xrefs: 00AD3996
v<Ea, xrefs: 00ADB12B
v<Ea, xrefs: 00AE2BA9
v<Ea, xrefs: 00AE2E29
v<Ea, xrefs: 00AD30CE
v<Ea, xrefs: 00AE11DD
v<Ea, xrefs: 00AD2EF1
v<Ea, xrefs: 00AC88EA
v<Ea, xrefs: 00AD0D48
v<Ea, xrefs: 00AD4B47
v<Ea, xrefs: 00AD9026
v<Ea, xrefs: 00AD7B6A
v<Ea, xrefs: 00ACAFB5
v<Ea, xrefs: 00AD1FB5
v<Ea, xrefs: 00ADDBA8
v<Ea, xrefs: 00AC852A
v<Ea, xrefs: 00ADD002
v<Ea, xrefs: 00ADAEFC
v<Ea, xrefs: 00ACDECE
v<Ea, xrefs: 00ADD6CA
v<Ea, xrefs: 00AD678A
v<Ea, xrefs: 00ADC146
v<Ea, xrefs: 00AE2DDD
v<Ea, xrefs: 00AC8A68
v<Ea, xrefs: 00ADD535
v<Ea, xrefs: 00AD2A0E
v<Ea, xrefs: 00AD6BA7
v<Ea, xrefs: 00AD35B1
v<Ea, xrefs: 00AD1F69
v<Ea, xrefs: 00AD945E
v<Ea, xrefs: 00AD2935
v<Ea, xrefs: 00AD1D43
v<Ea, xrefs: 00AE1153
cannot use push_back() with , xrefs: 00ACE46B, 00ACE6E3, 00AD0717, 00AD0908, 00AD5646, 00AD57DE, 00ADB379, 00ADB3D0, 00ADB424, 00ADD1D3, 00ADD3AB, 00ADF089, 00ADF230, 00AE330A
v<Ea, xrefs: 00AE0B5E
v<Ea, xrefs: 00ACB120
v<Ea, xrefs: 00ADDF50
v<Ea, xrefs: 00AD734F
v<Ea, xrefs: 00ACB16C
v<Ea, xrefs: 00AD76BD
v<Ea, xrefs: 00AD2EA5
v<Ea, xrefs: 00ACFE1A
v<Ea, xrefs: 00AD5AD6
v<Ea, xrefs: 00ACDF59
v<Ea, xrefs: 00ADDBDC
v<Ea, xrefs: 00AE0BAA
v<Ea, xrefs: 00AE15EC
v<Ea, xrefs: 00AD0086
v<Ea, xrefs: 00AD791E
v<Ea, xrefs: 00AD9BAB
v<Ea, xrefs: 00AD465C
v<Ea, xrefs: 00AE1308
v<Ea, xrefs: 00ACBF12
v<Ea, xrefs: 00ADC198
v<Ea, xrefs: 00AD191D
v<Ea, xrefs: 00AD3B9F
v<Ea, xrefs: 00AE107A
v<Ea, xrefs: 00AD8F9B
v<Ea, xrefs: 00AD2F8C
v<Ea, xrefs: 00AD73DD
v<Ea, xrefs: 00AE1465
v<Ea, xrefs: 00ADE45B
v<Ea, xrefs: 00ADAF48
v<Ea, xrefs: 00AD9078
v<Ea, xrefs: 00AC8B57
v<Ea, xrefs: 00AD4019
v<Ea, xrefs: 00AE2527
v<Ea, xrefs: 00AE2BF5
v<Ea, xrefs: 00AD4065
v<Ea, xrefs: 00AD66A9
v<Ea, xrefs: 00AD05B7
v<Ea, xrefs: 00AD0E27
v<Ea, xrefs: 00ADFFF8
v<Ea, xrefs: 00ACE27A
v<Ea, xrefs: 00ACE22E
v<Ea, xrefs: 00AE2677
v<Ea, xrefs: 00AD21A1
v<Ea, xrefs: 00AD6C71
v<Ea, xrefs: 00AD6F3A
v<Ea, xrefs: 00AD4B99
v<Ea, xrefs: 00AD7592
v<Ea, xrefs: 00AD00D2
v<Ea, xrefs: 00AE29A5
v<Ea, xrefs: 00AE0F1D
v<Ea, xrefs: 00AD6657
v<Ea, xrefs: 00AD3BEB
v<Ea, xrefs: 00ADF5C2
v<Ea, xrefs: 00AC9693
v<Ea, xrefs: 00ADA75B
v<Ea, xrefs: 00AE1028
v<Ea, xrefs: 00AD4C76
v<Ea, xrefs: 00AD7072
v<Ea, xrefs: 00AD28E3
v<Ea, xrefs: 00ADA70F
v<Ea, xrefs: 00AD3D73
v<Ea, xrefs: 00AE0789
R~u, xrefs: 00ACF86A
v<Ea, xrefs: 00AD7CF1
v<Ea, xrefs: 00ADA312
v<Ea, xrefs: 00ADEF35
v<Ea, xrefs: 00ADF576
v<Ea, xrefs: 00AD9690
v<Ea, xrefs: 00AE0A78
v<Ea, xrefs: 00AD9324
v<Ea, xrefs: 00AD7508
v<Ea, xrefs: 00AD2859
v<Ea, xrefs: 00ADD696
v<Ea, xrefs: 00AD0DD5
cannot use operator[] with a string argument with , xrefs: 00ACE8A5, 00ACE8DD, 00ACE930, 00ACE965, 00ACE99C, 00AD0872, 00AD08B0, 00AD0965, 00AD57A4, 00AD583D, 00ADB31D, 00ADB484, 00ADB4D9, 00ADB52E, 00ADB589, 00ADB5DE, 00ADB633, 00ADB688, 00ADB6DD, 00ADB732, 00ADD315, 00ADD353, 00ADD408, 00ADF19A, 00ADF1D8, 00ADF28D, 00AE3298, 00AE32D0, 00AE3362
v<Ea, xrefs: 00AD55DA
v<Ea, xrefs: 00AE24DB
v<Ea, xrefs: 00ACE53E
v<Ea, xrefs: 00AD72FD
v<Ea, xrefs: 00AD53D1
v<Ea, xrefs: 00AD7CA5
v<Ea, xrefs: 00AD989D
v<Ea, xrefs: 00AE14B7
v<Ea, xrefs: 00ADAC6D
v<Ea, xrefs: 00ACF38F
v<Ea, xrefs: 00AC9542
v<Ea, xrefs: 00AE0969
v<Ea, xrefs: 00AD78D2
v<Ea, xrefs: 00AE00FC
v<Ea, xrefs: 00ADA538
v<Ea, xrefs: 00ADE7A6
v<Ea, xrefs: 00AD8BDC
v<Ea, xrefs: 00AD23E1
v<Ea, xrefs: 00AE0234
v<Ea, xrefs: 00AD311A
v<Ea, xrefs: 00AC8619
v<Ea, xrefs: 00AD67D6
v<Ea, xrefs: 00AD2C69
v<Ea, xrefs: 00AD196F
v<Ea, xrefs: 00ACDFAB
v<Ea, xrefs: 00AE2149
v<Ea, xrefs: 00AE26C3
v<Ea, xrefs: 00AE20BE
v<Ea, xrefs: 00AD8F49
v<Ea, xrefs: 00AD4849
v<Ea, xrefs: 00AE0673
v<Ea, xrefs: 00AD94B0
v<Ea, xrefs: 00AD39E2
v<Ea, xrefs: 00ADC5A1
v<Ea, xrefs: 00ADC2C7
v<Ea, xrefs: 00AE0280
v<Ea, xrefs: 00AE219B
v<Ea, xrefs: 00ADE283
v<Ea, xrefs: 00AD0CFC
v<Ea, xrefs: 00AE122F
v<Ea, xrefs: 00ADA9D8
v<Ea, xrefs: 00AE073D
v<Ea, xrefs: 00AD1A50
v<Ea, xrefs: 00ADC7E9
v<Ea, xrefs: 00AD2C1D
v<Ea, xrefs: 00ADDE6D
v<Ea, xrefs: 00AE2F91
v<Ea, xrefs: 00AD75E4
v<Ea, xrefs: 00AD6E7E
v<Ea, xrefs: 00AD3DBF
v<Ea, xrefs: 00AE014E
v<Ea, xrefs: 00ADE4AD
v<Ea, xrefs: 00AE15A0
v<Ea, xrefs: 00AE0517
v<Ea, xrefs: 00AD9F9C
v<Ea, xrefs: 00ACDE7C
v<Ea, xrefs: 00ACC191

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: FileFindFirstFolderPath
String ID: R~u$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 2195519125-797077965
Opcode ID: 06bc4295fa5ae65b72d1a93bbc7dc4a3e8f2f99480897bde375ea5260e1ee0aa
Instruction ID: 3c3ff0760b573b1c25f9adf8e9130c42b9a77f5f80f45a91c44744d858ce3815
Opcode Fuzzy Hash: 06bc4295fa5ae65b72d1a93bbc7dc4a3e8f2f99480897bde375ea5260e1ee0aa
Instruction Fuzzy Hash: 68B401B4D052698BDB25CF68C984BEDBBB1AF59304F1082DAD849B7241DB706F84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABCBF0 Relevance: 172.9, APIs: 6, Strings: 91, Instructions: 3171stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00ABCD44
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00ABCE42
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00ABD035
CreateDirectoryA.KERNEL32(?,00000000), ref: 00ABF796

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

CreateDirectoryA.KERNEL32(?,00000000), ref: 00ABFA7D
lstrlen.KERNEL32(?), ref: 00AC0FAE

Strings

v<Ea, xrefs: 00ABE61F
v<Ea, xrefs: 00ABD9DC
v<Ea, xrefs: 00ABF12A
v<Ea, xrefs: 00ABE5CD
v<Ea, xrefs: 00AC0560
v<Ea, xrefs: 00ABFE73
v<Ea, xrefs: 00ABD2A8
v<Ea, xrefs: 00ABD3E5
v<Ea, xrefs: 00ABF0D8
v<Ea, xrefs: 00ABF5C2
v<Ea, xrefs: 00AC0AA0
v<Ea, xrefs: 00AC0B48
v<Ea, xrefs: 00ABED58
v<Ea, xrefs: 00ABE216
v<Ea, xrefs: 00ABE85C
v<Ea, xrefs: 00AC0C5F
v<Ea, xrefs: 00ABE6AD
v<Ea, xrefs: 00ABF85B
v<Ea, xrefs: 00ABD2FA
v<Ea, xrefs: 00ABD0B3
v<Ea, xrefs: 00ABDED5
v<Ea, xrefs: 00ABF576
v<Ea, xrefs: 00ABFB0E
v<Ea, xrefs: 00ABDE89
v<Ea, xrefs: 00ABFD8D
v<Ea, xrefs: 00AC0116
v<Ea, xrefs: 00AC0E83
v<Ea, xrefs: 00AC0654
v<Ea, xrefs: 00ABF4C8
v<Ea, xrefs: 00ABEDA4
v<Ea, xrefs: 00ABEB03
v<Ea, xrefs: 00ABFDDF
v<Ea, xrefs: 00AC0608
v<Ea, xrefs: 00ABF3D9
XO4, xrefs: 00ABD399
v<Ea, xrefs: 00ABF03B
v<Ea, xrefs: 00ABE80A
v<Ea, xrefs: 00ABE938
v<Ea, xrefs: 00ABFC02
v<Ea, xrefs: 00ABE0AA
v<Ea, xrefs: 00ABEFE9
v<Ea, xrefs: 00AC0B94
cannot use operator[] with a string argument with , xrefs: 00AC1091, 00AC10E6
v<Ea, xrefs: 00AC07E4
v<Ea, xrefs: 00ABD067
v<Ea, xrefs: 00AC02A6
v<Ea, xrefs: 00AC0403
v<Ea, xrefs: 00AC0022
v<Ea, xrefs: 00ABFFD0
v<Ea, xrefs: 00ABE6FF
v<Ea, xrefs: 00ABD68A
v<Ea, xrefs: 00ABEB9A
cannot use push_back() with , xrefs: 00AC1038
v<Ea, xrefs: 00ABEBE6
v<Ea, xrefs: 00ABF6FC
v<Ea, xrefs: 00ABE05E
v<Ea, xrefs: 00ABCE7D
v<Ea, xrefs: 00AC00CA
v<Ea, xrefs: 00ABFBB6
v<Ea, xrefs: 00AC0830
v<Ea, xrefs: 00ABDC4E
v<Ea, xrefs: 00ABF8A7
v<Ea, xrefs: 00ABDC9A
v<Ea, xrefs: 00ABF476
v<Ea, xrefs: 00AC02F2
v<Ea, xrefs: 00ABEA1E
v<Ea, xrefs: 00ABF920
v<Ea, xrefs: 00AC01E1
v<Ea, xrefs: 00ABD21C
v<Ea, xrefs: 00ABCDC3
v<Ea, xrefs: 00ABFABC
v<Ea, xrefs: 00ABFCCD
v<Ea, xrefs: 00ABE262
v<Ea, xrefs: 00ABCECF
v<Ea, xrefs: 00ABCFD8
v<Ea, xrefs: 00AC0D24
v<Ea, xrefs: 00ABDA28
v<Ea, xrefs: 00AC0943
v<Ea, xrefs: 00ABF972
v<Ea, xrefs: 00AC0D70
v<Ea, xrefs: 00ABFEC5
v<Ea, xrefs: 00AC071F
v<Ea, xrefs: 00ABF38D
v<Ea, xrefs: 00ABECC1
v<Ea, xrefs: 00ABCF85
v<Ea, xrefs: 00AC03B1
v<Ea, xrefs: 00ABF27C
v<Ea, xrefs: 00ABEC6F
v<Ea, xrefs: 00AC018F
v<Ea, xrefs: 00ABEEDE
v<Ea, xrefs: 00ABFC7B

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
String ID: XO4$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 2833034228-769388876
Opcode ID: 4ede8bbb6f0c03af483c9e76b698040814b059554ff910889fd3363402bb0ad8
Instruction ID: e38814cb2e19a82354c9964b0f29786c53162eab8c1710a6b9d710b67a2dead3
Opcode Fuzzy Hash: 4ede8bbb6f0c03af483c9e76b698040814b059554ff910889fd3363402bb0ad8
Instruction Fuzzy Hash: AC93BBB4D152A88ADB65CF28C995BEDBBB5AF49304F0082DAD949B7241DB702FC4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD2B0 Relevance: 112.4, APIs: 50, Strings: 12, Instructions: 3939registrytimefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00AFD4BB
CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00B82B0C,00000001,0000002E,0000002F,?,00B783D1,00A32233,00B783D1), ref: 00AFD78B
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00AFD906
FindNextFileA.KERNEL32(00000000,?), ref: 00AFD91C
FindClose.KERNEL32(00000000), ref: 00AFD92C
GetLastError.KERNEL32 ref: 00AFD932
GetLastError.KERNEL32 ref: 00AFD950

Part of subcall function 00B04590: GetCurrentProcess.KERNEL32(00AFDCB0), ref: 00B0459F
Part of subcall function 00B04590: IsWow64Process.KERNEL32(00000000), ref: 00B045A6

Part of subcall function 00A6195B: GetSystemTimeAsFileTime.KERNEL32(00AFDE28,00000000,00000000,?,?,?,00AFDE28,00000000), ref: 00A61970
Part of subcall function 00A6195B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A6198F

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?,?,?), ref: 00AFE0E1
RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 00AFE1AD
RegCloseKey.ADVAPI32(?), ref: 00AFE1E2
GetCurrentHwProfileA.ADVAPI32(?), ref: 00AFE37A
GetModuleHandleExA.KERNEL32(00000004,00B03370,?,?,?,?,?,?,?,?,00000000), ref: 00AFE87B
GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,00000000), ref: 00AFE893
RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 00AFF246
RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 00AFF312
RegCloseKey.ADVAPI32(?), ref: 00AFF591
GetComputerNameA.KERNEL32(?,?), ref: 00AFF5C5
GetUserNameA.ADVAPI32(?,?), ref: 00AFF763
GetDesktopWindow.USER32 ref: 00AFF806
GetWindowRect.USER32(00000000,?), ref: 00AFF814
GetUserDefaultLocaleName.KERNEL32(?,00000200), ref: 00AFF97F
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00AFFE45
LocalAlloc.KERNEL32(00000040), ref: 00AFFE57
GetKeyboardLayoutList.USER32(?,00000000), ref: 00AFFE72
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00AFFE9D
LocalFree.KERNEL32(?), ref: 00B00060
GetLocalTime.KERNEL32(?), ref: 00B00077
GetSystemTime.KERNEL32(?), ref: 00B0028D
GetTimeZoneInformation.KERNELBASE(?), ref: 00B002B0
TzSpecificLocalTimeToSystemTime.KERNELBASE(?,?,?), ref: 00B002D5
RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 00B006EF
RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 00B00841
RegCloseKey.ADVAPI32(?), ref: 00B008F2
GetSystemInfo.KERNELBASE(?), ref: 00B0091A
GlobalMemoryStatusEx.KERNELBASE(?), ref: 00B009CD
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00B00AE1
EnumDisplayDevicesA.USER32(00000000,00000001,?,00000001), ref: 00B00EC4
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B01003
Process32First.KERNEL32(00000000,?), ref: 00B0101B
Process32Next.KERNEL32(00000000,?), ref: 00B01031
Process32Next.KERNEL32(00000000,?), ref: 00B01103
CloseHandle.KERNEL32(00000000), ref: 00B01112
RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 00B01486
RegEnumKeyExA.KERNELBASE(?,00000000,?,?), ref: 00B014BD
wsprintfA.USER32 ref: 00B015A0
RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 00B015C3
RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 00B016C2
RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 00B017B9
RegCloseKey.ADVAPI32(?), ref: 00B01895
RegCloseKey.ADVAPI32(?), ref: 00B018B0

Strings

v<Ea, xrefs: 00B014F7
v<Ea, xrefs: 00B00D13
v<Ea, xrefs: 00B01657
v<Ea, xrefs: 00AFFDDC
v<Ea, xrefs: 00B0153D
v<Ea, xrefs: 00B0174E
v<Ea, xrefs: 00B019DB
lafos, xrefs: 00AFDCD4, 00AFDD5E
1.9, xrefs: 00AFDD77, 00AFDE08
|<Ea, xrefs: 00B017F3
v<Ea, xrefs: 00AFFF1A
v<Ea, xrefs: 00B0134F

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: CloseTime$FileOpenQueryValue$LocalNameSystem$EnumFindNextProcess32$CreateCurrentDevicesDisplayErrorFirstHandleInfoKeyboardLastLayoutListLocaleModuleProcessUserWindow$AllocComputerCopyDefaultDesktopDirectoryFreeGlobalInformationMemoryProfileRectSnapshotSpecificStatusToolhelp32Unothrow_t@std@@@Wow64Zone__ehfuncinfo$??2@wsprintf
String ID: 1.9$lafos$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$|<Ea
API String ID: 3185416054-762126345
Opcode ID: 8e72663950cf9c4bf1d0e0647f9dffed170a9456246e06c514b3b67920723bfe
Instruction ID: 5d6de9785f8631dae1137ed0b153005cdf02e9746840745c02eb1c1001b726a9
Opcode Fuzzy Hash: 8e72663950cf9c4bf1d0e0647f9dffed170a9456246e06c514b3b67920723bfe
Instruction Fuzzy Hash: AEB3EFB4D0426D8BDB25CF98C985BEEBBB5BF48300F104199E958B7341DB702A85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F730 Relevance: 110.7, APIs: 7, Strings: 55, Instructions: 2202COMMON

Download Yara Rule

APIs

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00AA02CB
SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00AA05C7
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00AA08C5
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00AA0C25
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00AA0F53
SHGetFolderPathA.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00AA1257
Concurrency::cancel_current_task.LIBCPMT ref: 00AA2001

Strings

type must be string, but is , xrefs: 00AA207B
v<Ea, xrefs: 00AA167B
v<Ea, xrefs: 00AA151C
v<Ea, xrefs: 00AA191C
v<Ea, xrefs: 00AA162F
v<Ea, xrefs: 00AA0CED
v<Ea, xrefs: 00AA1568
v<Ea, xrefs: 00AA30E0
v<Ea, xrefs: 00AA22BE
v<Ea, xrefs: 00AA098B
v<Ea, xrefs: 00AA23D3
v<Ea, xrefs: 00AA312C
v<Ea, xrefs: 00AA131B
v<Ea, xrefs: 00AA068B
v<Ea, xrefs: 00AA038F
v<Ea, xrefs: 00AA081A
v<Ea, xrefs: 00AA2BE8
v<Ea, xrefs: 00AA0B79
v<Ea, xrefs: 00AA1166
"o`a, xrefs: 00AA04D6
v<Ea, xrefs: 00AA29AF
v<Ea, xrefs: 00AA241F
v<Ea, xrefs: 00A9FE93
S<Ea, xrefs: 00AA0343
v<Ea, xrefs: 00A9F8A3
v<Ea, xrefs: 00AA1A2B
0u$, xrefs: 00AA07CE
v<Ea, xrefs: 00AA101B
v<Ea, xrefs: 00AA11B2
"o`a, xrefs: 00AA063F
S<Ea, xrefs: 00AA01CF
cannot get value, xrefs: 00AA1F7E, 00AA20B8
v<Ea, xrefs: 00A9FD3C
v<Ea, xrefs: 00A9FA6D
v<Ea, xrefs: 00AA0522
v<Ea, xrefs: 00AA021B
v<Ea, xrefs: 00AA2817
cannot compare iterators of different containers, xrefs: 00AA1FBD
v<Ea, xrefs: 00A9FB4F
v<Ea, xrefs: 00AA2963
v<Ea, xrefs: 00AA2310
v<Ea, xrefs: 00AA12CF
v<Ea, xrefs: 00A9F988
S<Ea, xrefs: 00AA0CA1
v<Ea, xrefs: 00AA0EA8
type must be boolean, but is , xrefs: 00AA2027
v<Ea, xrefs: 00AA27CB
v<Ea, xrefs: 00AA18D0
v<Ea, xrefs: 00A9FE47
v<Ea, xrefs: 00AA17CE
S<Ea, xrefs: 00AA0B2D
0u$, xrefs: 00AA093F
v<Ea, xrefs: 00AA2B9C
v<Ea, xrefs: 00AA181A
v<Ea, xrefs: 00AA19DF

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: FolderPath$AttributesConcurrency::cancel_current_taskErrorFileLast
String ID: "o`a$"o`a$0u$$0u$$S<Ea$S<Ea$S<Ea$S<Ea$cannot compare iterators of different containers$cannot get value$type must be boolean, but is $type must be string, but is $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 1974481932-1050980232
Opcode ID: 5f4f9fcff5536f5bc5bcc249894e6fad9e90acc2ca8b0195abb262ffe897e79f
Instruction ID: e4ac2f1ae6fec5ab82574c2402743ff5743b614bb49ccd40ee2c17a9e69379ec
Opcode Fuzzy Hash: 5f4f9fcff5536f5bc5bcc249894e6fad9e90acc2ca8b0195abb262ffe897e79f
Instruction Fuzzy Hash: 064300B4D042688BDB65CF28C994BEDBBB5AF49304F1082D9D859B7281EB706F84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B8E0 Relevance: 102.1, APIs: 40, Strings: 15, Instructions: 5855fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2BA08
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2BAD2
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2BF80
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2C47A
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2C575
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2C969
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2CD72
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2D17B
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2D29A
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2D6F8
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2D9DC
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2DAD7
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2DE41
CopyFileA.KERNEL32(?,?,00000000), ref: 00A2E55A
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2ECF6
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00A2EEEA
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2F45B
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2F525
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00A301ED
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00A30580
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00A3088D
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A30DC4
CopyFileA.KERNEL32(?,?,00000000), ref: 00A3173C
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A31904
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00A31CD7
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A31E6E
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A31FBE
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00A30B14

Part of subcall function 00AFD2B0: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00B82B0C,00000001,0000002E,0000002F,?,00B783D1,00A32233,00B783D1), ref: 00AFD78B

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A30F12
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2FEF1

Part of subcall function 00B03B20: GetLastError.KERNEL32 ref: 00B03ED0

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2FC55

Part of subcall function 00AFD2B0: FindFirstFileA.KERNEL32(00000000,?), ref: 00AFD4BB

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2F933

Part of subcall function 00B03B20: SetFileAttributesA.KERNEL32(?,00000080,?,?,00BA64F8,?,?), ref: 00B03E3A
Part of subcall function 00B03B20: DeleteFileA.KERNEL32(?), ref: 00B03E54
Part of subcall function 00B03B20: RemoveDirectoryA.KERNELBASE(?), ref: 00B03EBB
Part of subcall function 00B03B20: std::_Throw_Cpp_error.LIBCPMT ref: 00B03F97
Part of subcall function 00B03B20: std::_Throw_Cpp_error.LIBCPMT ref: 00B03FA8

Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B040FF
Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B04110

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2E6FA

Part of subcall function 00AE33B0: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 00AE34EF

Part of subcall function 00A49070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00A4910D
Part of subcall function 00A49070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00A49155

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2DF3C

Part of subcall function 00B03B20: FindNextFileA.KERNELBASE(?,00000010), ref: 00B03E68
Part of subcall function 00B03B20: FindClose.KERNEL32(?), ref: 00B03E7A
Part of subcall function 00B03B20: GetLastError.KERNEL32 ref: 00B03E80
Part of subcall function 00B03B20: SetFileAttributesA.KERNELBASE(?,00000080), ref: 00B03E9D

CopyFileA.KERNEL32(?,00000000,00000000), ref: 00A2D5FD

Part of subcall function 00B03B20: FindFirstFileA.KERNELBASE(00000000,?,00BA64F8,?,?,?,\*.*,00000004), ref: 00B03C95

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00A2BB07

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2BD08
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00A2BD37
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2C0CC
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2C196

Strings

v<Ea, xrefs: 00A2E414
v<Ea, xrefs: 00A2E300
v<Ea, xrefs: 00A32177
v<Ea, xrefs: 00A31390
v<Ea, xrefs: 00A3127C
v<Ea, xrefs: 00A315AE
v<Ea, xrefs: 00A313DC
v<Ea, xrefs: 00A2E34C
v<Ea, xrefs: 00A2E244
v<Ea, xrefs: 00A314A0
v<Ea, xrefs: 00A2E1F8
v<Ea, xrefs: 00A314EC
v<Ea, xrefs: 00A312C8
v<Ea, xrefs: 00A31016
v<Ea, xrefs: 00A2E040

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Directory$Create$File$Copy$Find$Cpp_errorThrow_std::_$AttributesErrorFirstLast$FolderPath___std_fs_convert_narrow_to_wide@20$CloseDeleteNextRemove
String ID: v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 1172780710-2632615832
Opcode ID: c3f4c4cf11642c556376d4cd0506d9c5b4d53064c2b85cec5e12eeb6a7bd9c76
Instruction ID: bfa99450103de2b08c9c4b14f93c39ab3b9a600bc206a9086780b6eb623cb382
Opcode Fuzzy Hash: c3f4c4cf11642c556376d4cd0506d9c5b4d53064c2b85cec5e12eeb6a7bd9c76
Instruction Fuzzy Hash: 29F3D0B4D0426D8BDF15CFA8D981AEEBBB0BF18300F104199D959B7341EB742A85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1A60 Relevance: 75.5, APIs: 11, Strings: 31, Instructions: 1966fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00AB1AC7

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

FindFirstFileA.KERNEL32(?,?), ref: 00AB207F
FindNextFileA.KERNEL32(00000000,?), ref: 00AB248C
FindClose.KERNEL32(00000000), ref: 00AB249C
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AB2573
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AB2639
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00AB27BD

Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B040FF
Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B04110

CreateDirectoryA.KERNEL32(?,00000000), ref: 00AB2964
CopyFileA.KERNEL32(00000000,?,00000000), ref: 00AB2C18
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00AB3158
CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000004), ref: 00AB351D

Part of subcall function 00A551EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A3ABA8,?,?,?,00A51CF9,00A3ABA8,00B969D8,00000000,00A3ABA8), ref: 00A5524B

Strings

v<Ea, xrefs: 00AB20FE
v<Ea, xrefs: 00AB2FE2
v<Ea, xrefs: 00AB2F96
v<Ea, xrefs: 00AB3A2C
v<Ea, xrefs: 00AB28B0
v<Ea, xrefs: 00AB299C
v<Ea, xrefs: 00AB36D2
v<Ea, xrefs: 00AB3386
v<Ea, xrefs: 00AB389E
v<Ea, xrefs: 00AB2DB4
v<Ea, xrefs: 00AB3B65
v<Ea, xrefs: 00AB2A5E
v<Ea, xrefs: 00AB2150
v<Ea, xrefs: 00AB2B7A
v<Ea, xrefs: 00AB20CA
v<Ea, xrefs: 00AB3BB7
v<Ea, xrefs: 00AB38F0
v<Ea, xrefs: 00AB39DA
v<Ea, xrefs: 00AB3CC3
v<Ea, xrefs: 00AB3686
v<Ea, xrefs: 00AB29D6
v<Ea, xrefs: 00AB285E
v<Ea, xrefs: 00AB2E96
v<Ea, xrefs: 00AB2184
v<Ea, xrefs: 00AB30B2
v<Ea, xrefs: 00AB3C77
cannot use operator[] with a string argument with , xrefs: 00AB3E34, 00AB3E8E
v<Ea, xrefs: 00AB2B28
v<Ea, xrefs: 00AB2EE8
v<Ea, xrefs: 00AB2AAA
v<Ea, xrefs: 00AB275D

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: File$CopyCreateDirectoryFind$Cpp_errorThrow_std::_$AttributesCloseCredEnumerateErrorExceptionFirstFolderLastNextPathRaise
String ID: cannot use operator[] with a string argument with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 2195218309-249588351
Opcode ID: 020bff161018edf05ecf2d5b62471b8b1037672f84838f01d71c24045b01c23b
Instruction ID: 0e2b7548f84d89e0b2ab4c5a79134dd5e826cccd56e56755b237ae6fb43c543b
Opcode Fuzzy Hash: 020bff161018edf05ecf2d5b62471b8b1037672f84838f01d71c24045b01c23b
Instruction Fuzzy Hash: CE33EEB4D042A88BDB65CF68C995BEDBBB4BF19300F1081D9D849B7342EB706A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00AB61D0 Relevance: 73.9, APIs: 4, Strings: 37, Instructions: 2129stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00AB6324
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00AB6422
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00AB6618
lstrlen.KERNEL32(?), ref: 00AB8931

Strings

v<Ea, xrefs: 00AB7AA9
cannot use push_back() with , xrefs: 00AB8851, 00AB89DA
v<Ea, xrefs: 00AB6868
v<Ea, xrefs: 00AB761D
v<Ea, xrefs: 00AB6A5C
v<Ea, xrefs: 00AB7E92
v<Ea, xrefs: 00AB8793
v<Ea, xrefs: 00AB63A3
v<Ea, xrefs: 00AB8359
v<Ea, xrefs: 00AB65BB
v<Ea, xrefs: 00AB7CC2
v<Ea, xrefs: 00AB7417
XO4, xrefs: 00AB6C62
v<Ea, xrefs: 00AB64B2
v<Ea, xrefs: 00AB681C
v<Ea, xrefs: 00AB6AA8
v<Ea, xrefs: 00AB75D1
v<Ea, xrefs: 00AB8593
v<Ea, xrefs: 00AB664A
v<Ea, xrefs: 00AB6CB4
v<Ea, xrefs: 00AB77EF
v<Ea, xrefs: 00AB6D40
v<Ea, xrefs: 00AB70CC
v<Ea, xrefs: 00AB8151
v<Ea, xrefs: 00AB7AF5
v<Ea, xrefs: 00AB6460
v<Ea, xrefs: 00AB87E5
v<Ea, xrefs: 00AB6568
v<Ea, xrefs: 00AB77A3
v<Ea, xrefs: 00AB83A5
v<Ea, xrefs: 00AB7C76
v<Ea, xrefs: 00AB8547
v<Ea, xrefs: 00AB7E46
v<Ea, xrefs: 00AB6D92
v<Ea, xrefs: 00AB6696
v<Ea, xrefs: 00AB73CB
cannot use operator[] with a string argument with , xrefs: 00AB89A3, 00AB8A39

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
String ID: XO4$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 1311570089-1359732929
Opcode ID: 569b77a893ad3d622d4fdfad4ac7374e48d9dec6ee5c358cda84b6993ff54872
Instruction ID: 856a1195eb9c977ab5783794802fc90d8c927f4bf95e8e9129e0d4f464145ce3
Opcode Fuzzy Hash: 569b77a893ad3d622d4fdfad4ac7374e48d9dec6ee5c358cda84b6993ff54872
Instruction Fuzzy Hash: 444310B0D052688BDB65CF28C994BEDBBB5AF49304F1082D9E848B7242DB756F84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00AF49B0 Relevance: 64.1, APIs: 31, Strings: 2, Instructions: 6337fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,00B780C7,000000FF), ref: 00AF4A1C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00AF4A43
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF4D09
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF506B
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF61A7
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF6D42
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF76CE
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00AF779F
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF7AC2
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF7E2D
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00AF7EFE
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF81E9
CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 00AF8479
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF862C
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF8906
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF8CEC
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 00AF90A1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF9254
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF952E
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF9914
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF7363

Part of subcall function 00AFD2B0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00AFD906
Part of subcall function 00AFD2B0: GetLastError.KERNEL32 ref: 00AFD950

CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF9D4C
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00AF9EA3

Part of subcall function 00AFB7E0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00AFB84D

CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF7003

Part of subcall function 00B03B20: SetFileAttributesA.KERNEL32(?,00000080,?,?,00BA64F8,?,?), ref: 00B03E3A
Part of subcall function 00B03B20: DeleteFileA.KERNEL32(?), ref: 00B03E54
Part of subcall function 00B03B20: RemoveDirectoryA.KERNELBASE(?), ref: 00B03EBB
Part of subcall function 00B03B20: std::_Throw_Cpp_error.LIBCPMT ref: 00B03F97
Part of subcall function 00B03B20: std::_Throw_Cpp_error.LIBCPMT ref: 00B03FA8

Part of subcall function 00B03B20: GetLastError.KERNEL32 ref: 00B03ED0

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 00AF69F8

Part of subcall function 00AFD2B0: FindNextFileA.KERNEL32(00000000,?), ref: 00AFD91C
Part of subcall function 00AFD2B0: FindClose.KERNEL32(00000000), ref: 00AFD92C
Part of subcall function 00AFD2B0: GetLastError.KERNEL32 ref: 00AFD932

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00AF658D

Part of subcall function 00B03B20: FindNextFileA.KERNELBASE(?,00000010), ref: 00B03E68
Part of subcall function 00B03B20: FindClose.KERNEL32(?), ref: 00B03E7A
Part of subcall function 00B03B20: GetLastError.KERNEL32 ref: 00B03E80
Part of subcall function 00B03B20: SetFileAttributesA.KERNELBASE(?,00000080), ref: 00B03E9D

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00AF5D1A

Part of subcall function 00AFD2B0: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00B82B0C,00000001,0000002E,0000002F,?,00B783D1,00A32233,00B783D1), ref: 00AFD78B

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF5ECD
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?), ref: 00AF5712

Part of subcall function 00B03B20: FindFirstFileA.KERNELBASE(00000000,?,00BA64F8,?,?,?,\*.*,00000004), ref: 00B03C95

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00AF59D3
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AF53CB

Part of subcall function 00AFD2B0: FindFirstFileA.KERNEL32(00000000,?), ref: 00AFD4BB

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B040FF
Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B04110

Strings

v<Ea, xrefs: 00AFB484
v<Ea, xrefs: 00AFA158

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Directory$Create$File$Find$ErrorLast$CopyCpp_errorThrow_std::_$AttributesFolderPath$CloseFirstNext$DeleteRemove
String ID: v<Ea$v<Ea
API String ID: 1140557632-2190929436
Opcode ID: 44950b7b152b3889074548bae7e409302d93750b11ee79348181117796c484da
Instruction ID: 9f7fc987fad1fca4b267871561841d79d8a0c4dcd17be373fc886d6357ce4a2f
Opcode Fuzzy Hash: 44950b7b152b3889074548bae7e409302d93750b11ee79348181117796c484da
Instruction Fuzzy Hash: 0AF3F3B4D0525D8BDB15CFA8D991AEEBBB0AF19304F104199D949B7341EB702F84CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8A80 Relevance: 59.6, APIs: 4, Strings: 29, Instructions: 1876stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00AB8C78
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00AB8D85
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00AB8F78
lstrlen.KERNEL32(?), ref: 00ABAD4D

Strings

v<Ea, xrefs: 00ABA556
cannot use push_back() with , xrefs: 00ABAC0A, 00ABAE0C
v<Ea, xrefs: 00AB9614
v<Ea, xrefs: 00AB96F2
v<Ea, xrefs: 00AB8CFA
v<Ea, xrefs: 00AB9408
v<Ea, xrefs: 00ABA5A2
v<Ea, xrefs: 00AB8DC0
v<Ea, xrefs: 00AB8E12
v<Ea, xrefs: 00ABA80F
v<Ea, xrefs: 00AB8F1B
v<Ea, xrefs: 00ABA7C3
v<Ea, xrefs: 00ABA255
v<Ea, xrefs: 00AB96A0
v<Ea, xrefs: 00AB91C8
v<Ea, xrefs: 00AB8FAA
v<Ea, xrefs: 00ABA34F
v<Ea, xrefs: 00ABA303
v<Ea, xrefs: 00AB9CAB
v<Ea, xrefs: 00AB917C
v<Ea, xrefs: 00AB9EA9
v<Ea, xrefs: 00AB9CFA
v<Ea, xrefs: 00AB8EC8
v<Ea, xrefs: 00AB93BC
v<Ea, xrefs: 00ABA209
cannot use operator[] with a string argument with , xrefs: 00ABADBC, 00ABAE73
v<Ea, xrefs: 00AB8FF6
v<Ea, xrefs: 00ABAB1F
v<Ea, xrefs: 00AB9A2C

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
String ID: cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 1311570089-2661975114
Opcode ID: b90339bd387984b2e598a74b34c0905a3474bb1d814f0c30a1293b12362d1130
Instruction ID: 1efbb90b55ef9fd492e56fa1456d3e1107b2e018e3d207605535070e14a9a810
Opcode Fuzzy Hash: b90339bd387984b2e598a74b34c0905a3474bb1d814f0c30a1293b12362d1130
Instruction Fuzzy Hash: E12301B0D042688BDB65CF28C9947EDBBB5AF59304F1082D9E949B7242EB706F84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B03B20 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 334
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(00000000,?,00BA64F8,?,?,?,\*.*,00000004), ref: 00B03C95
SetFileAttributesA.KERNEL32(?,00000080,?,?,00BA64F8,?,?), ref: 00B03E3A
DeleteFileA.KERNEL32(?), ref: 00B03E54
FindNextFileA.KERNELBASE(?,00000010), ref: 00B03E68
FindClose.KERNEL32(?), ref: 00B03E7A
GetLastError.KERNEL32 ref: 00B03E80
SetFileAttributesA.KERNELBASE(?,00000080), ref: 00B03E9D
RemoveDirectoryA.KERNELBASE(?), ref: 00B03EBB
GetLastError.KERNEL32 ref: 00B03ED0
std::_Throw_Cpp_error.LIBCPMT ref: 00B03F97
std::_Throw_Cpp_error.LIBCPMT ref: 00B03FA8

Strings

\*.*, xrefs: 00B03BE4

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: File$Find$AttributesCpp_errorErrorLastThrow_std::_$CloseDeleteDirectoryFirstNextRemove
String ID: \*.*
API String ID: 460640838-1173974218
Opcode ID: 1febbec2f27315507711ef289370ae951caef4b40a5e1320fbc4a240f46ca732
Instruction ID: 1a0bf03d2e4a774b36143624bd8f3cbe896ce557120449ccea8c8c6d6ca07a1d
Opcode Fuzzy Hash: 1febbec2f27315507711ef289370ae951caef4b40a5e1320fbc4a240f46ca732
Instruction Fuzzy Hash: 90D1F170D002498FDB20DFA8C9487EDBBF5EF55704F244299E458AB2D2DB749B88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AFC3E0 Relevance: 13.1, APIs: 5, Strings: 2, Instructions: 876
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00AFC44A
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AFC6D9

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

CreateDirectoryA.KERNEL32(?,00000000), ref: 00AFC8DA
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AFCBFA

Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B040FF
Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B04110

CreateDirectoryA.KERNEL32(?,00000000), ref: 00AFD02D

Part of subcall function 00B03B20: FindFirstFileA.KERNELBASE(00000000,?,00BA64F8,?,?,?,\*.*,00000004), ref: 00B03C95

Strings

v<Ea, xrefs: 00AFC85E
v<Ea, xrefs: 00AFD0F9

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesErrorFindFirstFolderLastPath
String ID: v<Ea$v<Ea
API String ID: 2127212259-2190929436
Opcode ID: e33f26d9886ca6ea0e34313ce0cb9af90a4630e6ef7ba69a5d4d16ee9d6b2e36
Instruction ID: a1196a941c39ca6cda95fe9ac51ca4c608525eb8279613489b7617c50803218c
Opcode Fuzzy Hash: e33f26d9886ca6ea0e34313ce0cb9af90a4630e6ef7ba69a5d4d16ee9d6b2e36
Instruction Fuzzy Hash: DDA2EFB4D0425D8BDB15CFA8D991BEEBBB1BF08310F204199E949B7351E7702A84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AFB7E0 Relevance: 13.0, APIs: 5, Strings: 2, Instructions: 731
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00AFB84D

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B040FF
Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B04110

CreateDirectoryA.KERNEL32(?,00000000), ref: 00AFBC79
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00AFBE33
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AFC0C1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AFC217

Strings

v<Ea, xrefs: 00AFC29A
v<Ea, xrefs: 00AFC123

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesCopyErrorFolderLastPath
String ID: v<Ea$v<Ea
API String ID: 1001086254-2190929436
Opcode ID: ba07f16fde1adeaea007eaee9814e645911bbaf03e1d94b8f813b47c2b68ad4c
Instruction ID: 74dc509489b3146b8dfb707d96774e81ed2d4e1fea5bd584d0c5ac2f6e3a88d1
Opcode Fuzzy Hash: ba07f16fde1adeaea007eaee9814e645911bbaf03e1d94b8f813b47c2b68ad4c
Instruction Fuzzy Hash: 7A8204B0D0025DCBDB15CFA8C995BEEBBB0BF19304F108199E958B7241EB705A85DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AE4130 Relevance: 12.8, APIs: 3, Strings: 4, Instructions: 535
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00AE4401

Part of subcall function 00A52524: __EH_prolog3.LIBCMT ref: 00A52560

std::_Throw_Cpp_error.LIBCPMT ref: 00AE4412

Part of subcall function 00B04870: __fread_nolock.LIBCMT ref: 00B049B9

DeleteFileA.KERNELBASE(?), ref: 00AE449B

Strings

v<Ea, xrefs: 00AE477D
131, xrefs: 00AE44E5, 00AE44FE
lafos, xrefs: 00AE4521, 00AE453A
v<Ea, xrefs: 00AE4239

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$DeleteFileH_prolog3__fread_nolock
String ID: 131$lafos$v<Ea$v<Ea
API String ID: 3880692912-2067100437
Opcode ID: 9248bd09ba3dcb7bc2952b0b9cd58962c0c2d0166e11ee3dbfdc6e4695ddfba2
Instruction ID: 29935f4d8a163eade6b040e1064a34c1e0cd42575c5d561b052b477e75c0702b
Opcode Fuzzy Hash: 9248bd09ba3dcb7bc2952b0b9cd58962c0c2d0166e11ee3dbfdc6e4695ddfba2
Instruction Fuzzy Hash: 5732ADB1D00288DFCB04CFA8C941BAEBBF5BF49304F148199E8556B392DB75AE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE33B0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 00AE34EF
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00AE37EF
GetLastError.KERNEL32 ref: 00AE37FD
FindClose.KERNELBASE(00000000), ref: 00AE380D

Strings

v<Ea, xrefs: 00AE3494
v<Ea, xrefs: 00AE35E6
v<Ea, xrefs: 00AE35A0

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Find$File$CloseErrorFirstLastNext
String ID: v<Ea$v<Ea$v<Ea
API String ID: 819619735-1164314080
Opcode ID: 66cb8db36cc8440c494885b77428aa995919bfafda5e284418a1c08e68e14086
Instruction ID: e5465680749c32cbd04d555635ee85b296f9706fcf6ba0f3916aacfcd7e8f00e
Opcode Fuzzy Hash: 66cb8db36cc8440c494885b77428aa995919bfafda5e284418a1c08e68e14086
Instruction Fuzzy Hash: A0D17AB1D002888FDF24CFA8C9887EEBBB1AF55314F148299D459BB382D7746A84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B18080 Relevance: 9.2, Strings: 7, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BINARY, xrefs: 00B182A5, 00B182B4, 00B182CE, 00B1830E, 00B18319, 00B18331, 00B18383, 00B18384
MATCH, xrefs: 00B18488, 00B18499, 00B184B9, 00B184BA, 00B184D0
RTRIM, xrefs: 00B182E8
NOCASE, xrefs: 00B183AA
no such vfs: %s, xrefs: 00B18237
sqlite_rename_table, xrefs: 00B18464
automatic extension loading failed: %s, xrefs: 00B185AC

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: 97634c2dd4f8dc850635e8fc50e5118c4abd3a2a1e1b4f1adb317075e8d8f8d4
Instruction ID: a3de9b6f35a66053d424f8906ad2ad0351364f6fa7a41027a1bb345f52462e77
Opcode Fuzzy Hash: 97634c2dd4f8dc850635e8fc50e5118c4abd3a2a1e1b4f1adb317075e8d8f8d4
Instruction Fuzzy Hash: CB0249B0A007009FEB209F14DC467ABB7E5FF51704F5444A9F44A9B2A1DFB5EA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE52A0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399COMMON

Download Yara Rule

Strings

v<Ea, xrefs: 00AE55B5
v<Ea, xrefs: 00AE552A
v<Ea, xrefs: 00AE5451

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID:
String ID: v<Ea$v<Ea$v<Ea
API String ID: 0-1164314080
Opcode ID: 162390abc2cafa50731fd05154702fa26c3755b0e5f7ec2241e227c9439a6941
Instruction ID: d91a23260c1e77acc03fe22dad5ee841d710cbc0e130dfe225f39edbcc8ca249
Opcode Fuzzy Hash: 162390abc2cafa50731fd05154702fa26c3755b0e5f7ec2241e227c9439a6941
Instruction Fuzzy Hash: 6C02F270D04288DFDF14DFA8CA457DDBBB0AB15308F548199E8057B382DBB55E88DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C8D0 Relevance: 3.5, APIs: 2, Instructions: 484COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B5CA85
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B5CD87

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 8a8670c8f8ca74523ebbbc01125f51bb15ff5bdbade1ec2deec0049c9954e628
Instruction ID: abbbac3a0ecbaa73078cae257746ca47ff9029889e8b2a71316c05b00387811d
Opcode Fuzzy Hash: 8a8670c8f8ca74523ebbbc01125f51bb15ff5bdbade1ec2deec0049c9954e628
Instruction Fuzzy Hash: D5028C70604706AFDB58CB28C840B6ABBE2FF89316F0486EDE859C7650D774ED58CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A6001D Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c6483e0ef5f69815ae7ace7fa2341faf41876fec134ee56822b8418c1e3eb2
Instruction ID: 82279a60342b43309038d5e35bc37d3c7fe6f711ddd6bca86926a53494962f26
Opcode Fuzzy Hash: 01c6483e0ef5f69815ae7ace7fa2341faf41876fec134ee56822b8418c1e3eb2
Instruction Fuzzy Hash: 9DB1C37090060A8BCB29CF68C965EBFBBB1AF16300F14461ED9929B791D7319EC5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A83650 Relevance: 102.1, APIs: 3, Strings: 54, Instructions: 2365COMMON

Download Yara Rule

APIs

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

Part of subcall function 00B03FC0: CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 00B04005

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A85AD0
CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00A85DF5

Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B040FF
Part of subcall function 00B04050: std::_Throw_Cpp_error.LIBCPMT ref: 00B04110

CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00A85CE6

Strings

v<Ea, xrefs: 00A85F16
v<Ea, xrefs: 00A83C78
v<Ea, xrefs: 00A85C36
v<Ea, xrefs: 00A85750
v<Ea, xrefs: 00A84565
v<Ea, xrefs: 00A846C0
v<Ea, xrefs: 00A856EB
v<Ea, xrefs: 00A85674
v<Ea, xrefs: 00A85519
v<Ea, xrefs: 00A84082
v<Ea, xrefs: 00A842EA
v<Ea, xrefs: 00A85112
v<Ea, xrefs: 00A8501F
v<Ea, xrefs: 00A8546D
v<Ea, xrefs: 00A84DBE
v<Ea, xrefs: 00A8426F
v<Ea, xrefs: 00A862E7
v<Ea, xrefs: 00A84B38
v<Ea, xrefs: 00A83C06
v<Ea, xrefs: 00A863DA
v<Ea, xrefs: 00A83990
v<Ea, xrefs: 00A84EE2
v<Ea, xrefs: 00A83D23
v<Ea, xrefs: 00A8400A
v<Ea, xrefs: 00A8518D
v<Ea, xrefs: 00A8537A
v<Ea, xrefs: 00A8635F
v<Ea, xrefs: 00A867E8
v<Ea, xrefs: 00A845E4
v<Ea, xrefs: 00A86033
v<Ea, xrefs: 00A853F2
v<Ea, xrefs: 00A840FD
v<Ea, xrefs: 00A8615D
v<Ea, xrefs: 00A84362
v<Ea, xrefs: 00A83741
v<Ea, xrefs: 00A83F8F
v<Ea, xrefs: 00A8465B
v<Ea, xrefs: 00A85F88
v<Ea, xrefs: 00A85D48
v<Ea, xrefs: 00A85590
v<Ea, xrefs: 00A84CA7
v<Ea, xrefs: 00A855F5
v<Ea, xrefs: 00A8663D
v<Ea, xrefs: 00A84489
v<Ea, xrefs: 00A84500
v<Ea, xrefs: 00A864A0
v<Ea, xrefs: 00A83A9B
v<Ea, xrefs: 00A8626C
v<Ea, xrefs: 00A852FF
v<Ea, xrefs: 00A8509A
v<Ea, xrefs: 00A843DD
v<Ea, xrefs: 00A84A30
v<Ea, xrefs: 00A83E4D
v<Ea, xrefs: 00A84D19

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
String ID: v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 453214671-409038647
Opcode ID: c76a1f24d533fd35174f4f93fd73cb1ec5151fe381113aa97038a541cad5bdba
Instruction ID: acd0200fd890aad8a51dbafc37831c8dbe5c99308db6ec31be3fb6f175506be8
Opcode Fuzzy Hash: c76a1f24d533fd35174f4f93fd73cb1ec5151fe381113aa97038a541cad5bdba
Instruction Fuzzy Hash: 5753BBB1D152688FDB65DF68CD95BDDBBB4AB19300F0081EAE449A7291EB702F84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E090 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 832
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A2B8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A2BA08

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A7E192
CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 00A7E322
CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 00A7E415
CreateDirectoryA.KERNEL32(?,00000000), ref: 00A7E50B
CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00A7E757
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A7E8D5
CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 00A7EA65
CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 00A7EB58

Part of subcall function 00B04050: GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
Part of subcall function 00B04050: GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7

CreateDirectoryA.KERNEL32(?,00000000), ref: 00A7EC4E
CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,-0000004C), ref: 00A7EEA6

Part of subcall function 00AF49B0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,00B780C7,000000FF), ref: 00AF4A1C
Part of subcall function 00AF49B0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00AF4A43

Strings

v<Ea, xrefs: 00A7E458
v<Ea, xrefs: 00A7E5C3
v<Ea, xrefs: 00A7E9C4
4<Ea, xrefs: 00A7ECA4
v<Ea, xrefs: 00A7EA9B
v<Ea, xrefs: 00A7EB9B
4<Ea, xrefs: 00A7E561
v<Ea, xrefs: 00A7E120
v<Ea, xrefs: 00A7ED77
v<Ea, xrefs: 00A7EDEC
v<Ea, xrefs: 00A7E281
v<Ea, xrefs: 00A7E691
v<Ea, xrefs: 00A7E358
v<Ea, xrefs: 00A7E869
v<Ea, xrefs: 00A7ED12
v<Ea, xrefs: 00A7E61C

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: CreateDirectory$FolderPath$AttributesErrorFileLast
String ID: 4<Ea$4<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 3066340180-3580313535
Opcode ID: 52af73f56172ca9bc7a812482f224472e061b979091abd39260a8647a1053340
Instruction ID: f7f726766ea73cdd470ebe6b45eee035a40e1cf205c8dc8c909c9352110127cc
Opcode Fuzzy Hash: 52af73f56172ca9bc7a812482f224472e061b979091abd39260a8647a1053340
Instruction Fuzzy Hash: E59214B0D042A89BDB25DB68CD95BDDBBB4AF15304F0081E9E449B7292EB705F88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B01AD0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 291
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegGetValueA.KERNELBASE(80000002,?,?,0001FFFF,?,?,00000104), ref: 00B01E20
GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 00B01E8C
LsaOpenPolicy.ADVAPI32(00000000,00BA4684,00000001,?), ref: 00B01EE5
LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 00B01EF8
LsaFreeMemory.ADVAPI32(?), ref: 00B01F26
LsaClose.ADVAPI32(?), ref: 00B01F2F

Strings

%wZ, xrefs: 00B01F15
v<Ea, xrefs: 00B01CD7

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
String ID: %wZ$v<Ea
API String ID: 762890658-2964453009
Opcode ID: 3c8c27b471f01cf299c5425aa2dacc8f69be26f9c330ecdfc2cba96b3ae7e61d
Instruction ID: 8e07c20db923c50fe16ad192c6c390ef88d85768ad1c00ff9c33771f33331dc1
Opcode Fuzzy Hash: 3c8c27b471f01cf299c5425aa2dacc8f69be26f9c330ecdfc2cba96b3ae7e61d
Instruction Fuzzy Hash: 29E1D1B4D0425ADBDB14CF98D986BEEBBB4BF08300F204199E949B7351D7706A85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AE5940 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00AE596A
getaddrinfo.WS2_32(?,?,?,00BA6328), ref: 00AE59EC
socket.WS2_32(?,?,?), ref: 00AE5A0D
connect.WS2_32(00000000,00B76B31,?), ref: 00AE5A21
closesocket.WS2_32(00000000), ref: 00AE5A2D
FreeAddrInfoW.WS2_32(?), ref: 00AE5A3A
WSACleanup.WS2_32 ref: 00AE5A40
FreeAddrInfoW.WS2_32(?), ref: 00AE5A55

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 448659506-0
Opcode ID: d4ba764557b756274928782654dc4785648eb53cd031f3b370f34e9c5056db81
Instruction ID: eec103b692c7cc71f0c763c262b5fa8efa38d1df2d12c40d035d9a5ce280ce53
Opcode Fuzzy Hash: d4ba764557b756274928782654dc4785648eb53cd031f3b370f34e9c5056db81
Instruction Fuzzy Hash: 9731A1729047409BD7209F75EC88A6ABBE5FB84778F11072DF8A9931E0D730AC448A96

Uniqueness

Uniqueness Score: -1.00%

Function 00A29280 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 00A296A6
GetProcAddress.KERNEL32(00000000,?), ref: 00A296B4
WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 00A296C9

Strings

Ws2_32.dll, xrefs: 00A2969A
v<Ea, xrefs: 00A2962C
v<Ea, xrefs: 00A29660

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: Ws2_32.dll$v<Ea$v<Ea
API String ID: 2819740048-996692458
Opcode ID: f5dff0d3875b668f2e9d88677d98018d1e7971c98ec4a1f002ca8d872dc35783
Instruction ID: b36b2f677b14ac8e76d2023af9c21a115c52428707d0a519cf5c42e34129305a
Opcode Fuzzy Hash: f5dff0d3875b668f2e9d88677d98018d1e7971c98ec4a1f002ca8d872dc35783
Instruction Fuzzy Hash: B1020E70E04298DFDF24CFA8D8907ADBBB0FF55714F24429DE4896B682D7701986CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A68900 Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5f7f6d16c95f4bf4c84c7799d2790903149cb1de1009627ebe64105b59db87
Instruction ID: cf961ef72b6834f319d0fd94d09967e8a0ddb49aa165abf1c1eeaf46e64410f1
Opcode Fuzzy Hash: 5c5f7f6d16c95f4bf4c84c7799d2790903149cb1de1009627ebe64105b59db87
Instruction Fuzzy Hash: C1B1F6B4A04249AFDF11DF98C881BBE7BB9FF49310F184259E41597292CF789D81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AF3B40 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 278fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,00000000), ref: 00AF3DD0

Part of subcall function 00AF3F50: GetLastError.KERNEL32(?,00000000), ref: 00AF3F83
Part of subcall function 00AF3F50: 6E417CF0.RSTRTMGR(?,00000000,?), ref: 00AF4000

std::_Throw_Cpp_error.LIBCPMT ref: 00AF3F34
std::_Throw_Cpp_error.LIBCPMT ref: 00AF3F45

Strings

v<Ea, xrefs: 00AF3D17

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CopyE417ErrorFileLast
String ID: v<Ea
API String ID: 1193564277-4124759590
Opcode ID: 950dec72568b72d810e3d1c0c300607d0a55c15746e7ed8ac330ab9a0c6c1f89
Instruction ID: 4a0f4de170c72f6c1ba90696cc33d2eee22a7750d44e55fda2309d76c5c51fe4
Opcode Fuzzy Hash: 950dec72568b72d810e3d1c0c300607d0a55c15746e7ed8ac330ab9a0c6c1f89
Instruction Fuzzy Hash: C0D16BB1D00349DBDB14CFA8D9457EDBBB0AF55304F248299E814B7382EB745B89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1680 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 264registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 00AB18A9
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?), ref: 00AB18CC
RegCloseKey.ADVAPI32(?), ref: 00AB18D7

Strings

v<Ea, xrefs: 00AB17B6

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: v<Ea
API String ID: 3677997916-4124759590
Opcode ID: a06769a7f7937a6bc16f49d803afffb09f47cbfb32669d417a8b6a5bafcd2b10
Instruction ID: f4fad7c902c1da31025b8b65ea3dd9c570eddeed1f0c52248be207853e15b4f4
Opcode Fuzzy Hash: a06769a7f7937a6bc16f49d803afffb09f47cbfb32669d417a8b6a5bafcd2b10
Instruction Fuzzy Hash: 4BC115B1D042599BDB14DFA8C986BEEBBB4FF08310F204159E915B7381D7746A848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B04050 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,?,00A80224), ref: 00B040AC
GetLastError.KERNEL32(?,?,00A80224), ref: 00B040B7
std::_Throw_Cpp_error.LIBCPMT ref: 00B040FF
std::_Throw_Cpp_error.LIBCPMT ref: 00B04110

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
String ID:
API String ID: 995686243-0
Opcode ID: f065e40079c9f13f10a001594fcba6165328088f56fc0d2280348ff0a03f68e9
Instruction ID: 27da3dea0f513dcaa05358aa41548fb6c8f2aca56ab315a73f982a4f8b97c8c6
Opcode Fuzzy Hash: f065e40079c9f13f10a001594fcba6165328088f56fc0d2280348ff0a03f68e9
Instruction Fuzzy Hash: ED1134F1944240AACB244F289D457697FE4E703731F2803A4EB25EBAD0FF32885C8752

Uniqueness

Uniqueness Score: -1.00%

Function 00B02BA0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00B02C3F
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00B02F4B

Strings

v<Ea, xrefs: 00B02FC6

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: DirectoryInformationVolumeWindows
String ID: v<Ea
API String ID: 3487004747-4124759590
Opcode ID: d1bc70920a492793df660202b90cc67c89e2a98a2b58ad54c6f6e3568c558b91
Instruction ID: 5b6f186e0a24ffb865bfa7baf4906495a73dbf628e4510df8b1bba700978a772
Opcode Fuzzy Hash: d1bc70920a492793df660202b90cc67c89e2a98a2b58ad54c6f6e3568c558b91
Instruction Fuzzy Hash: A7F148B1D102499BDB15CFA8D985BEEFBB1BF09304F24425DE944B7381E7706A84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B9C2 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,00A5D2A1,?), ref: 00A6B9CA
GetLastError.KERNEL32(?,00A5D2A1,?), ref: 00A6B9D4
__dosmaperr.LIBCMT ref: 00A6B9DB

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: 0480983b590b82af539bd38b0ef07b33ac8bc191c9f1cff2160e853c7c705bad
Instruction ID: 886446e55b8cca7584ead01921fed8848c4929c25588ee5ecdf3cfe946157df6
Opcode Fuzzy Hash: 0480983b590b82af539bd38b0ef07b33ac8bc191c9f1cff2160e853c7c705bad
Instruction Fuzzy Hash: 48D0123211420877DB502BF6FC4991A7F6D9FC13767180A51F52CC65A0EF36C8D1D551

Uniqueness

Uniqueness Score: -1.00%

Function 00B049F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B04B5C

Strings

v<Ea, xrefs: 00B04AB2

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: __fread_nolock
String ID: v<Ea
API String ID: 2638373210-4124759590
Opcode ID: 009b7a2ae70170bf7911380791526cb54ac295a4d4f5983c579a571663c58200
Instruction ID: 8d1f9d58cf5b9b944f042d7013a3dcb7976f8a3952b63952ab10eed9a51e4743
Opcode Fuzzy Hash: 009b7a2ae70170bf7911380791526cb54ac295a4d4f5983c579a571663c58200
Instruction Fuzzy Hash: D6513BB0D002499BDB20DF98D946BAEBBF4FF44714F10421DE9516B381D775AA44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B04870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B049B9

Strings

v<Ea, xrefs: 00B04912

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: __fread_nolock
String ID: v<Ea
API String ID: 2638373210-4124759590
Opcode ID: 2ec7bdf16d443ce8f17161597d53f10a33effa7b86bdfed369f2d2e736db4cb1
Instruction ID: 0cdd1f29fdf6315a11870d3fa41a4f0176f7664439dfa13654b575346d1a28b9
Opcode Fuzzy Hash: 2ec7bdf16d443ce8f17161597d53f10a33effa7b86bdfed369f2d2e736db4cb1
Instruction Fuzzy Hash: F64139B1D00248DFDB10DF98D986BAEBBB4FF49714F104169E814BB381E775A905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A69779 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68E8F: GetConsoleOutputCP.KERNEL32(CC0E111E,00000000,00000000,00A5D0B7), ref: 00A68EF2

WriteFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?,00B041EC,?,00A5CFD7,00B041EC,?,00B96E10,00000010,00A5D0B7), ref: 00A698FE
GetLastError.KERNEL32(?,00A5CFD7,00B041EC,?,00B96E10,00000010,00A5D0B7,00B041EC,?,00000000,?), ref: 00A69908

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: e5a4157e583b80fd081e8a9dea08ace04c2edf196d016d8584b36c645b3cda5f
Instruction ID: 5b079f34c753fad21d771feaf540506205a723ec4541f1a700269ebe7fcabde7
Opcode Fuzzy Hash: e5a4157e583b80fd081e8a9dea08ace04c2edf196d016d8584b36c645b3cda5f
Instruction Fuzzy Hash: 9061A0B2C04119AFDF11DFA8C984AEFBBBDAF4A314F140149E904A7256D732DA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AF39A0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00AF3B1A
std::_Throw_Cpp_error.LIBCPMT ref: 00AF3B2B

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: f56ec33203ae5c497b4f728cbabcefe532bc23c022d0b6521223f5c939f40d58
Instruction ID: 2c04df433540e69d4cf7aff9b1070d7f8a0f818d198009d13c0d30a84d2568d0
Opcode Fuzzy Hash: f56ec33203ae5c497b4f728cbabcefe532bc23c022d0b6521223f5c939f40d58
Instruction Fuzzy Hash: 3A4104B2E003058BCB24EF6CD94276EB7F0BB81310F184329E96597391EB76AA05C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 00A68DEF Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00A68CD6,00000000,CF830579,00B97178,0000000C,00A68D92,00A5D06D,?), ref: 00A68E45
GetLastError.KERNEL32(?,00A68CD6,00000000,CF830579,00B97178,0000000C,00A68D92,00A5D06D,?), ref: 00A68E4F

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: c5122d02e0c37b734fffd0854274ced9f06fe6e3d875c3dd4780c16764618ad6
Instruction ID: cfd783a3f831e061ae74620522457d8d67674cff5ed9a058d9c09440f822c7e3
Opcode Fuzzy Hash: c5122d02e0c37b734fffd0854274ced9f06fe6e3d875c3dd4780c16764618ad6
Instruction Fuzzy Hash: 0C116B3BA002105BC6256334AD4AB7E677DCF82734F290719F818971D2EF3ADC808191

Uniqueness

Uniqueness Score: -1.00%

Function 00A6250C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00A5D0B7,00000000,00000002,00000000,00000000,00000000,00000000,?,00A62646,00000000,00000000,00A5D0B7,00000002,00000000), ref: 00A62548
GetLastError.KERNEL32(00000000,?,00A62646,00000000,00000000,00A5D0B7,00000002,00000000,?,00A6981E,00000000,00000000,00000000,00000002,00A5D0B7,00000000), ref: 00A62555

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 68705907395c180fa3512095dcae4a37eddd0a6115970fe70a07bc013e820491
Instruction ID: fd49d59f05ceb6c67c00510fa401e1bcc89117959dcafb0d910a36558971b8fb
Opcode Fuzzy Hash: 68705907395c180fa3512095dcae4a37eddd0a6115970fe70a07bc013e820491
Instruction Fuzzy Hash: 5201D637610515AFCF25CF69DC5599E3B39EB85320F240208F8129B2A1FA75EE918B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B00C Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00A71B36,?,00000000,?,?,00A71DD7,?,00000007,?,?,00A722CB,?,?), ref: 00A6B022
GetLastError.KERNEL32(?,?,00A71B36,?,00000000,?,?,00A71DD7,?,00000007,?,?,00A722CB,?,?), ref: 00A6B02D

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: d97c08d6fb251fbc6c56d248f9095934979f8fdd0e9d4f006fb3c4138b20090b
Instruction ID: 6e4aacd5e57d4d2a9e539009ac946013a28da39df7ec6b58afc6447c1be86a8b
Opcode Fuzzy Hash: d97c08d6fb251fbc6c56d248f9095934979f8fdd0e9d4f006fb3c4138b20090b
Instruction Fuzzy Hash: A8E08C36100204ABCB212FB4EC09B8E3F69AB40355F194020F61CD70A0DF3888D0C794

Uniqueness

Uniqueness Score: -1.00%

Function 00A35350 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00A3546E

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 781c3fc77c9363063cdcf14b5ea8e505755770405d9ab2dc3679e09deb6bd129
Instruction ID: d78e2493ad0c5dfc36c05c47f1d06c383fa186fd6a0157959ab19098f892b01a
Opcode Fuzzy Hash: 781c3fc77c9363063cdcf14b5ea8e505755770405d9ab2dc3679e09deb6bd129
Instruction Fuzzy Hash: E06167B1A00614DFCB14CF6DCA84B5ABBF5FF48710F24816AE8199B391C775EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A58DF2 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70dae515c8f8d4bb7c1b3d5592c4f10650054f466118486a934b17e68b2285b
Instruction ID: bc20b89c5c9ee26ee6de08689a5ca5fa24814a594d6aa8b58c14705af3f38ab6
Opcode Fuzzy Hash: b70dae515c8f8d4bb7c1b3d5592c4f10650054f466118486a934b17e68b2285b
Instruction Fuzzy Hash: D951B570A00204BFDB14DF58C885AA97BB2FF49325F288159FC49AB252D735DE49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A26870 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_open@12.LIBCPMT ref: 00A26908

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: ___std_fs_directory_iterator_open@12
String ID:
API String ID: 29801545-0
Opcode ID: 3fdedc6b77ab0214d5cadd34b860f63a693fcf20b5d87c40a23a75ab70636c3d
Instruction ID: a62fb214338c39725c8742c460f4dc1e71d7a465d8d2514eb6ff0486a90ee6fb
Opcode Fuzzy Hash: 3fdedc6b77ab0214d5cadd34b860f63a693fcf20b5d87c40a23a75ab70636c3d
Instruction Fuzzy Hash: B321A276E01629ABCB18DF48E941BAEF7B4FB84320F00066AEC1963780DB356D44CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B030B0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SetupDiGetClassDevsA.SETUPAPI(00B7A560,00000000,00000000), ref: 00B030F7

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: ClassDevsSetup
String ID:
API String ID: 2330331845-0
Opcode ID: 25bf9b7604d7c516d35cb521682b2d42c8dcd193d5842b04a7a6b31e8135a8fe
Instruction ID: e605b4f192377732016409090ccf444a44f95623e9f376c1c36ba5a962614759
Opcode Fuzzy Hash: 25bf9b7604d7c516d35cb521682b2d42c8dcd193d5842b04a7a6b31e8135a8fe
Instruction Fuzzy Hash: 31110EB0D04744ABE3208F18D94A71BBFF4EB04B20F10435DE865673C0E7B56A5487D2

Uniqueness

Uniqueness Score: -1.00%

Function 00A232D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00A2331F

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 6ec4655adc9d8c581670169791bfeb4c3c4bb59604ad5d7a34e59d92e7cd2194
Instruction ID: 31744bd37783fb8d2eb9eaeb5eb81e1a2b52682d16b7535b07b09829b720ef78
Opcode Fuzzy Hash: 6ec4655adc9d8c581670169791bfeb4c3c4bb59604ad5d7a34e59d92e7cd2194
Instruction Fuzzy Hash: AEF024331001249BCF14AF68E5059EAB3E8EF143A2710093EE98CCB612EB3ADB448780

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A64C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,000000FF,00000000), ref: 00A6A68D

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 652acd1365f167efc1a60ad85d7878d72138d3a0afba2a8271355530fbf387bd
Instruction ID: 3a0765e4736cd85d4dd205ef6d7dc0ba30f46e785e59e00893ef147ce54dfe12
Opcode Fuzzy Hash: 652acd1365f167efc1a60ad85d7878d72138d3a0afba2a8271355530fbf387bd
Instruction Fuzzy Hash: 6DF0B43E6006216B9B225B62DD09A5A377DAB61760B1D8111E808BB190DA34D8008EE2

Uniqueness

Uniqueness Score: -1.00%

Function 00A26840 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00A26853

Part of subcall function 00A51F6B: FindNextFileW.KERNELBASE(?,?,?,00A26858,?,?,?,?,00A2691A,?,?,?,00000000,?,?), ref: 00A51F74

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: FileFindNext___std_fs_directory_iterator_advance@8
String ID:
API String ID: 3878998205-0
Opcode ID: fff74abef5ad4ab776fc00913f1374bcbb9169b1c9b3633ac3d7d852fcb85055
Instruction ID: 01f87e9301d21da516b00c2059416f80c5cf5d3a3138d91a94f176cf23ef33f3
Opcode Fuzzy Hash: fff74abef5ad4ab776fc00913f1374bcbb9169b1c9b3633ac3d7d852fcb85055
Instruction Fuzzy Hash: 71D01231B06930111E297B7F3A05ABF46995DE6BB4F89047EFD4AD3242EF148C0B40E6

Uniqueness

Uniqueness Score: -1.00%

Function 00A666C5 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A666CC

Memory Dump Source

Source File: 00000000.00000002.2017971644.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2017949212.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018073090.0000000000B7A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018096716.0000000000B7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018127852.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018149937.0000000000BA2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018169234.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018229414.0000000000BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018248941.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018267111.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000BCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D87000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D89000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018328340.0000000000DC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2019197521.0000000000F20000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_file.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: f3b99bdac7e1b305a159835f4c81fe28751a9f2559dc09f85a3bc9367c379b0d
Instruction ID: b72ea337c6dc34efd073a0bf7cfb14e6c5c36380371780f766b196a7e69daef7
Opcode Fuzzy Hash: f3b99bdac7e1b305a159835f4c81fe28751a9f2559dc09f85a3bc9367c379b0d
Instruction Fuzzy Hash: E5E09AB6D4020DAADF00DFE4C646BEFB7B8AB04315F504066A615E6141EB7897488BA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_ec619316d435a0621ba3667744ac4ba198646d78_d1a40e08_5a4c7c3f-49b6-4eb3-8d5b-bf782d5388aa\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_ec619316d435a0621ba3667744ac4ba198646d78_d1a40e08_afb271d8-43e5-41cb-b5ef-4dcf3dfdaae0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_a2a636d6b528a3cf542617edd8df83f41ab1c4b_394a0634_aa0059fc-b7e6-4132-8e38-83f092b6ad00\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2651.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26CF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26D0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2828.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2867.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2886.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER28E4.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2940.tmp.WERInternalMetadata.xml

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre